CVE-2025-59536
published 2025-10-03CVE-2025-59536: Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation…
PriorityP267high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
30.23%
98.0th percentile
Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. This issue is fixed in version 1.0.111.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anthropic-ai | claude-code | >= 0 < 1.0.111 | 1.0.111 |
| anthropic | claude_code | < 1.0.111 | 1.0.111 |
| anthropics | claude-code | < 1.0.111 | 1.0.111 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for execution of hooks triggered by the SessionStart event in Claude Code before the trust dialog is accepted — hook commands in .claude/settings.json execute automatically without additional confirmation prompts. ↗
- →Hunt for the Rust-based dropper ClaudeCode_x64.exe delivered via trojanized GitHub repositories; on execution it drops Vidar v18.7 (infostealer) and GhostSocks (SOCKS proxy). ↗
- →Monitor for anomalous outbound connections to Steam community profile URLs and Telegram from developer workstations, as these are used as Vidar Dead Drop Resolvers to retrieve C2 addresses. ↗
- →Detect cloning or downloading from GitHub repositories named 'leaked-claude-code' or associated with the threat actor account 'idbzoomh1', which distribute trojanized payloads. ↗
- →Use Zscaler threat names Win64.Downloader.TradeDownloader, Win32.PWS.Vidar, and Win32.Trojan.GHOSTSOCKS for detection of payloads associated with the trojanized Claude Code lure campaign. ↗
- ·The vulnerability requires the user to start Claude Code in an untrusted/malicious directory — exploitation is contingent on a developer cloning and opening an attacker-controlled repository. ↗
- ·Users on standard Claude Code auto-update will have received the fix automatically; only manual-update users need to act. The fix is in version 1.0.111. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Claude Code can execute commands prior to the startup trust dialog
osv·2025-10-03
CVE-2025-59536 [HIGH] Claude Code can execute commands prior to the startup trust dialog
Claude Code can execute commands prior to the startup trust dialog
Due to a bug in the startup trust dialog implementation, Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory.
Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version.
Thank you to https://hackerone.com/avivdon for reporting this issue!
GHSA
Claude Code can execute commands prior to the startup trust dialog
ghsa·2025-10-03
CVE-2025-59536 [HIGH] CWE-94 Claude Code can execute commands prior to the startup trust dialog
Claude Code can execute commands prior to the startup trust dialog
Due to a bug in the startup trust dialog implementation, Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory.
Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version.
Thank you to https://hackerone.com/avivdon for reporting this issue!
No detection rules found.
No public exploits indexed.
Hackernews
Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs
blogs_hackernews·2026-06-26·CVSS 7.8
CVE-2026-12957 [HIGH] Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs
A high-severity flaw in Amazon Q Developer let a malicious repository run commands and steal a developer's cloud credentials. The path was short: a developer opens the repo, trusts the workspace, and Amazon Q does the rest. Amazon has patched it.
Tracked as CVE-2026-12957 (CVSS 8.5), the bug sat in how Amazon's AI coding assistant handled Model Context Protocol (MCP) servers.
Wiz Research, which found and reported it, showed that a single config file dropped in a repo was enough to go from git clone to cloud compromise.
## How the attack worked
A
Wiz
MCP Auto-Execution: From Git Clone to Cloud Compromise in Amazon Q VS Code Extension
blogs_wiz·2026-06-26·CVSS 7.8
CVE-2026-12957 [HIGH] MCP Auto-Execution: From Git Clone to Cloud Compromise in Amazon Q VS Code Extension
Severity
High
CVE
CVE-2026-12957
Affected Versions
Language server version < 1.65.0
Fixed In
Language server version 1.65.0
Vendor
Amazon Web Services
Status
Fixed
## Executive Summary
Wiz Research discovered a high-severity vulnerability in Amazon Q Developer Extension for Visual Studio Code (VS Code), Amazon's AI-powered coding assistant for VS Code, which allowed attackers to achieve arbitrary code execution and cloud credential theft simply by having a developer open a malicious repository. Amazon Q automatically loaded MCP server configurations from workspace files without user consent. Combined with full environment inheritance, this enabled immediate code execution.
Amazon has remediated this issue in language server version 1.65.0.
This vulnerability is part of a bro
Zscaler
Anthropic Claude Code Leak | ThreatLabz
blogs_zscaler·2026-04-01
Anthropic Claude Code Leak | ThreatLabz
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Checkpoint
2nd March – Threat Intelligence Report
blogs_checkpoint·2026-03-02
CVE-2025-59536 2nd March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2nd March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 2nd March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Wynn Resorts, a United States-based casino and hotel operator, has confirmed that employee data was accessed following an extortion threat linked to ShinyHunters. The company said operations were not disrupted. Reports indicate the stolen dataset includes HR-related information, including contact details and employment records f
Checkpoint
Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852
blogs_checkpoint·2026-02-25·CVSS 8.7
CVE-2025-59536 [HIGH] Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852
By Aviv Donenfeld and Oded Vanunu
## Executive Summary
Check Poin
2025-10-03
Published