The vulnerability exists in Zed IDE prior to version 0.227.1, where the application blindly executes commands specified in a malicious ".git/config" file that sets the "core.fsmonitor" Git configuration option. This flaw permits an attacker to run arbitrary code on the host system when a user opens a folder containing such a poisoned configuration file in untrusted mode. The weakness is a classic example of command injection, identified as CWE‑78. The impact is the potential compromise of the host machine, allowing the attacker to gain full control over the system if the user opens a tainted repository.

Zed IDE, provided by zed-industries, is affected by this flaw in all releases prior to 0.227.1. Any installation of Zed that remains on an older version and is used to open untrusted project folders is vulnerable. No specific operating‑system restrictions are indicated; the problem is intrinsic to the application layer.

The CVSS score of 8.6 indicates a high severity vulnerability. No EPSS score is publicly available, but the lack of a KEV listing suggests no mass exploitation has been reported to date. The likely attack vector is a malicious user or code repository that includes a poisoned ".git/config" file. An attacker needs the victim to open the affected folder in untrusted mode, a scenario that can occur easily when downloading and exploring open‑source projects. Once opened, the embedded command is executed with the privileges of the user running Zed, allowing full remote code execution.