CVE-2026-25725 – This vulnerability allows malicious code runnin... (How to Fix)

Q: What is the severity of CVE-2026-25725?

CVE-2026-25725 has a CVSS score of 10.0 (CRITICAL). This vulnerability allows malicious code running inside Claude Code's sandbox to create a missing settings.json file and inject persistent hooks that execute with host privileges upon restart. It affects users of Claude Code versions prior to 2.1.2 who run untrusted code within the sandbox.

📋 TL;DR

This vulnerability allows malicious code running inside Claude Code's sandbox to create a missing settings.json file and inject persistent hooks that execute with host privileges upon restart. It affects users of Claude Code versions prior to 2.1.2 who run untrusted code within the sandbox.

💻 Affected Systems

Products:

Claude Code

Versions: All versions prior to 2.1.2

Operating Systems: All platforms where Claude Code runs

Default Config Vulnerable: ⚠️ Yes

Notes: Only exploitable when running untrusted code within the sandbox and when .claude/settings.json does not exist at startup.

📦 What is this software?

Claude Code by Anthropic

View all CVEs affecting Claude Code →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full host compromise through persistent malicious hooks that execute with elevated privileges on every Claude Code restart, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malicious code execution with host privileges, allowing attackers to steal sensitive data, install backdoors, or modify system configurations.

🟢

If Mitigated

Limited impact if sandbox only runs trusted code or if proper file permissions prevent unauthorized file creation.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to execute code within the sandbox environment.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.1.2

Vendor Advisory: https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf

Restart Required: Yes

Instructions:

1. Update Claude Code to version 2.1.2 or later. 2. Restart Claude Code to apply the fix. 3. Verify the update was successful.

🔧 Temporary Workarounds

Create protected settings.json

all

Manually create the settings.json file with proper permissions before running untrusted code

touch ~/.claude/settings.json
chmod 444 ~/.claude/settings.json

Run only trusted code

all

Avoid executing untrusted or unknown code within Claude Code sandbox

🧯 If You Can't Patch

Avoid running untrusted code in Claude Code sandbox
Monitor for unauthorized file creation in ~/.claude/ directory

🔍 How to Verify

Check if Vulnerable:

Check Claude Code version and verify if .claude/settings.json exists with proper permissions

Check Version:

claude-code --version

Verify Fix Applied:

Verify Claude Code version is 2.1.2 or later and test that settings.json cannot be created/modified by sandboxed code

📡 Detection & Monitoring

Log Indicators:

Unauthorized file creation in ~/.claude/ directory
Unexpected SessionStart command execution

Network Indicators:

Unusual outbound connections from Claude Code process

SIEM Query:

File creation events in ~/.claude/ directory by Claude Code process

📊 Metadata

CVE ID: CVE-2026-25725

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-501

EPSS Score: 0.06% exploit probability (17.4th percentile)

Published: February 6, 2026

Last Updated: February 9, 2026

🔗 References

https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25725, you might also want to check these: