CVE-2025-52882Missing Origin Validation in WebSockets in Claude-code

CWE-1385Missing Origin Validation in WebSocketsCWE-285Improper Authorization3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.3%
top 50.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Anthropic-ai Claude-codeAnthropics Claude-code
Timeline
Latest updateJun 23
PublishedJun 24

Description

Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 are vulnerable. For Jetbrains IDE plugins, Claude Code [beta] versions 0.1.1 through 0.1.8 are vulnerable. In VSCode (and forks),

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Affected Packages2 packages

npmanthropic-ai/claude-code0.2.1161.0.24
CVEListV5anthropics/claude-code>= 0.2.116 < 1.0.24

🔴Vulnerability Details

2
GHSA
Claude Code Improper Authorization via websocket connections from arbitrary origins2025-06-23
OSV
Claude Code Improper Authorization via websocket connections from arbitrary origins2025-06-23