cbcvebase.
CVE-2026-25725
published 2026-02-06

CVE-2026-25725: Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the…

PriorityP263critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.42%
33.3th percentile
Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.

Affected

3 ranges
VendorProductVersion rangeFixed in
anthropic-aiclaude-code>= 0 < 2.1.22.1.2
anthropicclaude_code< 2.1.22.1.2
anthropicsclaude-code< 2.1.22.1.2

Detection & IOCsextracted from sources · hover to see the quote

path.claude/settings.json
path.claude/settings.local.json
  • Monitor for creation of .claude/settings.json inside a bubblewrap sandbox at runtime (i.e., the file did not exist at Claude Code startup but appears during a session), which may indicate sandbox escape persistence via hook injection.
  • Inspect .claude/settings.json for unexpected SessionStart hook entries, especially in environments where the file was absent at Claude Code startup — these hooks execute with host privileges on restart.
  • Alert on any write to .claude/settings.json originating from within a bubblewrap (bwrap) sandboxed process, as the parent .claude directory is mounted writable and the file lacks read-only protection when absent at startup.
  • ·The vulnerability only applies when .claude/settings.json does NOT exist at Claude Code startup — if the file is already present, the sandbox protection gap does not apply.
  • ·Only .claude/settings.local.json received explicit read-only sandbox constraints; .claude/settings.json was left unprotected under the same writable parent directory mount, meaning detection must account for this asymmetry.
  • ·Patched in Claude Code version 2.1.2; versions prior to 2.1.2 of @anthropic-ai/claude-code are affected.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.