CVE-2026-25725
BaseFortify
Publication date: 2026-02-06
Last updated on: 2026-02-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anthropic | claude_code | to 2.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-668 | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
| CWE-501 | The product mixes trusted and untrusted data in the same data structure or structured message. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to a full compromise of the vulnerable system by allowing malicious code inside the sandbox to execute commands with host-level privileges.
- Privilege escalation without requiring any prior privileges.
- Persistent code execution that survives restarts of Claude Code.
- Potential unauthorized access and modification of configuration files.
- High impact on confidentiality, integrity, and availability of the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-25725 is a high-severity sandbox escape vulnerability in the Claude Code tool prior to version 2.1.2. The issue occurs because the bubblewrap sandboxing mechanism fails to protect the .claude/settings.json configuration file when it does not exist at startup.
While the parent directory is writable and .claude/settings.local.json is protected as read-only, the missing settings.json file can be created by malicious code running inside the sandbox. This allows the attacker to inject persistent hooks, such as SessionStart commands, which execute with host-level privileges when Claude Code restarts.
This vulnerability enables privilege escalation and persistent code execution outside the sandbox, compromising the security boundary intended by the sandbox.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the creation of the .claude/settings.json file by malicious code inside the sandbox, which can inject persistent hooks that execute with host privileges upon restarting Claude Code.
To detect this vulnerability on your system, you should check for the presence of the .claude/settings.json file, especially if it was not originally present before. The unexpected existence of this file may indicate exploitation.
Suggested commands to detect this include:
- Check if the settings.json file exists in the .claude directory: `ls -l ~/.claude/settings.json`
- Inspect the contents of the settings.json file for suspicious entries such as SessionStart commands: `cat ~/.claude/settings.json`
- Check file permissions to ensure settings.json is not writable by untrusted users: `stat ~/.claude/settings.json`
- Review recent file creation or modification times in the .claude directory: `ls -lt ~/.claude/`
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in Claude Code version 2.1.2 by properly protecting the settings.json file.
Immediate mitigation steps include:
- Upgrade Claude Code to version 2.1.2 or later as soon as possible.
- If upgrading immediately is not possible, manually check and remove any unauthorized .claude/settings.json files that may have been created.
- Ensure that the .claude directory and its configuration files have appropriate read-only permissions to prevent unauthorized modifications.
- Avoid running untrusted code inside the Claude Code sandbox until the patch is applied.