CVE-2026-25725

EUVD-2026-5616

06.02.2026, 18:16

Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 17%

Affected Products (NVD)

Vendor	Product	Version
anthropic	claude_code	𝑥 < 2.1.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-501 - Trust Boundary Violation
The product mixes trusted and untrusted data in the same data structure or structured message.

References

https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf