We use cookies to improve your experience on our site.
AVID-2026-R0424
Description
Zed IDE LSP Configuration Code Execution
Details
The Zed IDE loads Language Server Protocol (LSP) configurations from the settings.json file located within a project’s .zed subdirectory. A malicious LSP configuration can contain arbitrary shell commands that run on the host system with the privileges of the user running the IDE. This can be triggered when a user opens project file for which there is an LSP entry.
References
Affected or Relevant Artifacts
- Developer: Zed Industries
- Deployer:
- Artifact Details:
| Type | Name |
|---|---|
| System | Zed IDE |
Impact
- (none)
Other information
- Report Type: Advisory
- Credits: Aaron Portnoy, Mindgard
- Date Reported: 2025-11-16
- Version: 0.3.1
- AVID Entry