cbcvebase.
CVE-2025-59536
published 2025-10-03

CVE-2025-59536: Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation…

PriorityP267high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
30.23%
98.0th percentile
Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. This issue is fixed in version 1.0.111.

Affected

3 ranges
VendorProductVersion rangeFixed in
anthropic-aiclaude-code>= 0 < 1.0.1111.0.111
anthropicclaude_code< 1.0.1111.0.111
anthropicsclaude-code< 1.0.1111.0.111

Detection & IOCsextracted from sources · hover to see the quote

hashd8256fbc62e85dae85eb8d4b49613774
hash8660646bbc6bb7dc8f59a764e25fe1fd
hash77c73bd5e7625b7f691bc00a1b561a0f
hash81fb210ba148fd39e999ee9cdc085dfc
hash9a6ea91491ccb1068b0592402029527f
hash3388b415610f4ae018d124ea4dc99189
urlhttps://steamcommunity.com/profiles/76561198721263282
urlhttps://telegram.me/g1n3sss
urlhttps://rti.cargomanbd.com
ip147.45.197.92
port147.45.197.92:443
ip94.228.161.88
port94.228.161.88:443
urlhttps://github.com/leaked-claude-code/leaked-claude-code
urlhttps://github.com/my3jie/leaked-claude-code
urlhttps://github.com/idbzoomh1
filenameClaudeCode_x64.exe
path.claude/settings.json
path.mcp.json
  • Monitor for execution of hooks triggered by the SessionStart event in Claude Code before the trust dialog is accepted — hook commands in .claude/settings.json execute automatically without additional confirmation prompts.
  • Hunt for the Rust-based dropper ClaudeCode_x64.exe delivered via trojanized GitHub repositories; on execution it drops Vidar v18.7 (infostealer) and GhostSocks (SOCKS proxy).
  • Monitor for anomalous outbound connections to Steam community profile URLs and Telegram from developer workstations, as these are used as Vidar Dead Drop Resolvers to retrieve C2 addresses.
  • Detect cloning or downloading from GitHub repositories named 'leaked-claude-code' or associated with the threat actor account 'idbzoomh1', which distribute trojanized payloads.
  • Use Zscaler threat names Win64.Downloader.TradeDownloader, Win32.PWS.Vidar, and Win32.Trojan.GHOSTSOCKS for detection of payloads associated with the trojanized Claude Code lure campaign.
  • ·The vulnerability requires the user to start Claude Code in an untrusted/malicious directory — exploitation is contingent on a developer cloning and opening an attacker-controlled repository.
  • ·Users on standard Claude Code auto-update will have received the fix automatically; only manual-update users need to act. The fix is in version 1.0.111.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.