AI Agent Remote Code Execution
A critical vulnerability in the Zed Agent Panel allowed for an AI agent to achieve Remote Code Execution (RCE) by bypassing user permission checks. An AI Agent could have exploited a permissions bypass vulnerability to create or modify a project-specific configuration file, leading to the execution of arbitrary commands on a victim's machine without the explicit approval that would otherwise be required.
Impact
This vulnerability stemmed from a permissions bypass in the Agent Panel. The rules for agents having write access to local files were:
- When the built-in
edit_file tool is enabled (which it is when using the built-in Write profile), the agent is permitted to write to files in local project directories only, not files outside the project (such as the user's global settings).
- Other tools can potentially cause writes to happen outside the project, such as the
terminal tool, but these tools require explicit user permission before running unless the user has enabled the always_allow_tool_actions setting.
- Although the agent could not use
edit_file to edit the user's global settings file when its path is outside the current project, the agent could use edit_file to create or edit a local project-specific settings file (such as ./.zed/settings.json) which would enable always_allow_tool_actions for the current project. From there, the agent would have been able to run any tool without user confirmation, including the terminal tool - which could be used for Remote Code Execution (RCE) and a full compromise of the system.
An attacker could have triggered this flaw by hijacking the user's AI chat context through various means, such as a compromised MCP server, malicious files in a version-controlled repository, or by tricking the user into fetching a URL with hidden malicious instructions. A specially crafted prompt could have then instructed the AI Agent to create or modify a local ./zed/settings.json file to enable the always_allow_tool_actions setting.
Patches
This vulnerability has been patched in version 0.197.3. Users should upgrade immediately to ensure they are protected.
Workarounds
For users unable to upgrade immediately, the recommended workaround is to either avoid sending prompts to the Agent Panel, or to limit the AI Agent's file system access. This can be done by explicitly deselecting tools that have the ability to write to the filesystem, or by switching the agent's tool profile to a more restrictive one, such as "Read" or "Minimal," instead of the "Write" profile.
References
This advisory is based on a security vulnerability report submitted by a security researcher named Ari at MaccariTA.
MaccariTA Finder
AI Agent Remote Code Execution
A critical vulnerability in the Zed Agent Panel allowed for an AI agent to achieve Remote Code Execution (RCE) by bypassing user permission checks. An AI Agent could have exploited a permissions bypass vulnerability to create or modify a project-specific configuration file, leading to the execution of arbitrary commands on a victim's machine without the explicit approval that would otherwise be required.
Impact
This vulnerability stemmed from a permissions bypass in the Agent Panel. The rules for agents having write access to local files were:
edit_filetool is enabled (which it is when using the built-in Write profile), the agent is permitted to write to files in local project directories only, not files outside the project (such as the user's global settings).terminaltool, but these tools require explicit user permission before running unless the user has enabled thealways_allow_tool_actionssetting.edit_fileto edit the user's global settings file when its path is outside the current project, the agent could useedit_fileto create or edit a local project-specific settings file (such as./.zed/settings.json) which would enablealways_allow_tool_actionsfor the current project. From there, the agent would have been able to run any tool without user confirmation, including theterminaltool - which could be used for Remote Code Execution (RCE) and a full compromise of the system.An attacker could have triggered this flaw by hijacking the user's AI chat context through various means, such as a compromised MCP server, malicious files in a version-controlled repository, or by tricking the user into fetching a URL with hidden malicious instructions. A specially crafted prompt could have then instructed the AI Agent to create or modify a local
./zed/settings.jsonfile to enable thealways_allow_tool_actionssetting.Patches
This vulnerability has been patched in version 0.197.3. Users should upgrade immediately to ensure they are protected.
Workarounds
For users unable to upgrade immediately, the recommended workaround is to either avoid sending prompts to the Agent Panel, or to limit the AI Agent's file system access. This can be done by explicitly deselecting tools that have the ability to write to the filesystem, or by switching the agent's tool profile to a more restrictive one, such as "Read" or "Minimal," instead of the "Write" profile.
References
This advisory is based on a security vulnerability report submitted by a security researcher named Ari at MaccariTA.