Vulnerability Description
Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Anthropic | Claude Code | < 2.1.2 |
Related Weaknesses (CWE)
References
- https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rThird Party Advisory
FAQ
What is CVE-2026-25725?
CVE-2026-25725 is a vulnerability with a CVSS score of 10.0 (CRITICAL). Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exi...
How severe is CVE-2026-25725?
CVE-2026-25725 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-25725?
Check the references section above for vendor advisories and patch information. Affected products include: Anthropic Claude Code.