CVE-2026-25725
Claude Code Has Sandbox Escape via Persistent Configuration Injection in settings.json
In short
Claude Code's sandbox had a weakness where missing configuration files could be created by malicious code inside the sandbox, allowing attackers to inject commands that run with full computer privileges when the tool restarts.
Technical detail
CVE-2026-25725 exploits improper file access controls in bubblewrap sandbox initialization; attackers with code execution inside the sandbox can create .claude/settings.json and inject persistent hooks (e.g., SessionStart commands) that execute with host privileges upon tool restart, bypassing sandbox restrictions through configuration injection.
Summary generated and translated by AI from the official description.
Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
anthropics · claude-codeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →