{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25725", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-05T16:48:00.426Z", "datePublished": "2026-02-06T17:53:42.543Z", "dateUpdated": "2026-02-06T19:15:02.998Z"}, "containers": {"cna": {"title": "Claude Code Has Sandbox Escape via Persistent Configuration Injection in settings.json", "problemTypes": [{"descriptions": [{"cweId": "CWE-501", "lang": "en", "description": "CWE-501: Trust Boundary Violation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-668", "lang": "en", "description": "CWE-668: Exposure of Resource to Wrong Sphere", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf"}], "affected": [{"vendor": "anthropics", "product": "claude-code", "versions": [{"version": "< 2.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T17:53:42.543Z"}, "descriptions": [{"lang": "en", "value": "Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2."}], "source": {"advisory": "GHSA-ff64-7w26-62rf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T19:04:47.766753Z", "id": "CVE-2026-25725", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T19:15:02.998Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25725", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-06T19:04:47.766753Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T19:14:58.348Z"}}], "cna": {"title": "Claude Code Has Sandbox Escape via Persistent Configuration Injection in settings.json", "source": {"advisory": "GHSA-ff64-7w26-62rf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "anthropics", "product": "claude-code", "versions": [{"status": "affected", "version": "< 2.1.2"}]}], "references": [{"url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf", "name": "https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-501", "description": "CWE-501: Trust Boundary Violation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-668", "description": "CWE-668: Exposure of Resource to Wrong Sphere"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T17:53:42.543Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25725", "state": "PUBLISHED", "dateUpdated": "2026-02-06T19:15:02.998Z", "dateReserved": "2026-02-05T16:48:00.426Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T17:53:42.543Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "BFD4F565-E51C-4E83-815C-B2D2A0EEB5E6", "versionEndExcluding": "2.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2."}], "id": "CVE-2026-25725", "lastModified": "2026-02-09T14:46:12.660", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-06T18:16:00.187", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-501"}, {"lang": "en", "value": "CWE-668"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:37:04.206779+00:00", "value": {"mitigation_remediation": ["Upgrade to Claude Code 2.1.2 or later.", "If an immediate upgrade is not possible, delete any existing .claude/settings.json file and configure the application to avoid writing persistent hooks; ensure the file is not writable by the sandbox.", "Regularly audit the .claude directory for unexpected configuration files or modifications."], "summary": {"action": "Apply Patch", "impact": "Sandbox Escape \u2013 privileged execution"}, "threat_synthesis": {"affected_systems": "Versions of Anthropics Claude Code before 2.1.2 are affected. The issue occurs when .claude/settings.json is missing during startup; newer releases mount the file as read\u2011only and are unaffected. The vulnerability applies to all operating environments where Claude Code is installed locally.", "description_and_impact": "Claude Code uses a bubblewrap sandbox to isolate its execution. When the settings.json file does not exist at startup, the sandbox incorrectly allows writable access to the parent directory. Malicious code running inside the sandbox can create or modify that file and insert persistent hooks, such as SessionStart commands, that will run with host privileges when Claude Code restarts. The flaw, identified as CWE\u2011501 and CWE\u2011668, enables a form of privilege escalation that can compromise the host system.", "risk_and_exploitability": "The CVSS base score of 7.7 places this vulnerability in the high severity range, while the EPSS score of less than 1% indicates a low current exploitation probability. The flaw is not listed in CISA\u2019s KEV catalog. Exploitation requires the ability to run code inside the sandbox, which is typically possible after the sandbox has been compromised or during normal operation of Claude Code. Once the file is created, the attacker gains host privilege execution each time the host restarts."}}}}, "created": "2026-02-09T10:49:34.855129+00:00", "updated": "2026-04-17T22:45:29.933455+00:00", "vendors": ["anthropics", "anthropics$PRODUCT$claude_code"]}