CVE-2025-59536 – Claude Code versions before 1.0.111 contain a c... (How to Fix)

Q: What is the severity of CVE-2025-59536?

CVE-2025-59536 has a CVSS score of 8.8 (HIGH). Claude Code versions before 1.0.111 contain a code injection vulnerability that allows arbitrary code execution when users start the application in untrusted directories. The vulnerability bypasses the startup trust dialog, enabling malicious code to run before user consent. Users with manual updates are affected, while auto-update users have received the fix.

📋 TL;DR

Claude Code versions before 1.0.111 contain a code injection vulnerability that allows arbitrary code execution when users start the application in untrusted directories. The vulnerability bypasses the startup trust dialog, enabling malicious code to run before user consent. Users with manual updates are affected, while auto-update users have received the fix.

💻 Affected Systems

Products:

Claude Code

Versions: All versions before 1.0.111

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability activates when users start Claude Code in untrusted directories containing malicious code.

📦 What is this software?

Claude Code by Anthropic

View all CVEs affecting Claude Code →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary code execution, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation or execution of malicious scripts from untrusted project directories, compromising user data and system integrity.

🟢

If Mitigated

No impact if users only run Claude Code in trusted directories or have updated to patched version.

🌐 Internet-Facing: LOW - Exploitation requires local access and user interaction with untrusted directories.

🏢 Internal Only: MEDIUM - Internal users could be tricked into running Claude Code in malicious directories, leading to lateral movement within networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires user to start application in malicious directory.

Exploitation requires social engineering to convince users to run Claude Code in untrusted locations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.111

Vendor Advisory: https://github.com/anthropics/claude-code/security/advisories/GHSA-4fgq-fpq9-mr3g

Restart Required: Yes

Instructions:

1. Check current version with 'claude-code --version'. 2. If version <1.0.111, download latest from official source. 3. Install update. 4. Restart Claude Code.

🔧 Temporary Workarounds

Restrict directory usage

all

Only run Claude Code in trusted, controlled directories

Disable auto-start features

all

Prevent Claude Code from automatically opening recent projects

🧯 If You Can't Patch

Implement application whitelisting to prevent unauthorized code execution
Restrict user permissions and implement least privilege access controls

🔍 How to Verify

Check if Vulnerable:

Check if Claude Code version is below 1.0.111 and if application runs code from untrusted directories without trust prompt.

Check Version:

claude-code --version

Verify Fix Applied:

Update to version 1.0.111 and verify trust dialog appears before code execution in untrusted directories.

📡 Detection & Monitoring

Log Indicators:

Unexpected process execution from Claude Code
Trust dialog bypass events
Code execution from untrusted paths

Network Indicators:

Unusual outbound connections from Claude Code process

SIEM Query:

Process creation where parent process is Claude Code and command line contains suspicious code execution patterns

📊 Metadata

CVE ID: CVE-2025-59536

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.1% exploit probability (28.5th percentile)

Published: October 3, 2025

Last Updated: October 23, 2025

🔗 References

https://github.com/anthropics/claude-code/security/advisories/GHSA-4fgq-fpq9-mr3g Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59536, you might also want to check these: