CVE-2026-25725Trust Boundary Violation in Claude-code

CWE-501Trust Boundary ViolationCWE-668Resource Exposure13 documents5 sources
Severity
7.7HIGHNVD
EPSS
0.0%
top 93.95%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Anthropics Claude-codeAnthropic Claude CodeAnthropic-ai Claude-code
Timeline
PublishedFeb 6
Latest updateApr 11

Description

Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent h

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

CVEListV5anthropics/claude-code< 2.1.2

🔴Vulnerability Details

3
VulDB
Anthropic claude-code up to 2.1.1 Bubblewrap Sandboxing .claude/settings.json trust boundary violation (GHSA-ff64-7w26-62rf / Nessus ID 305986)2026-04-11
GHSA
Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json2026-02-06
OSV
Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json2026-02-06

🕵️Threat Intelligence

9
Wiz
CVE-2026-25723 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-24053 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-33068 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-25722 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-24052 Impact, Exploitability, and Mitigation Steps | Wiz