Claude Code Has Sandbox Escape via Persistent Configuration Injection in...

7.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.

Basic Information

ID CVE-2026-25725

Source GitHub_M

Published Feb 6, 2026 at 17:53

Modified Feb 6, 2026 at 19:15

Affected Product

Vendor anthropics

Product claude-code

Version < 2.1.2

Affected Versions anthropics claude-code < 2.1.2

CWE Classification

CWE-501 CWE-668

References

github.com /anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf

{
    "lastseen": "",
    "description": "Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.",
    "published": "2026-02-06T17:53:42.543Z",
    "modified": "2026-02-06T19:15:02.998Z",
    "type": "cve",
    "title": "Claude Code Has Sandbox Escape via Persistent Configuration Injection in settings.json",
    "source": "GitHub_M",
    "references": "https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf",
    "id": "CVE-2026-25725",
    "bulletinFamily": "",
    "cwe": [
        "CWE-501",
        "CWE-668"
    ],
    "cvelist": null,
    "sourceData": "anthropics claude-code < 2.1.2",
    "sourceHref": "",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "claude-code",
    "version": "< 2.1.2",
    "vendor": "anthropics",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Claude Code Has Sandbox Escape via Persistent Configuration Injection in settings.json_CVE-2026-25725