CVE-2026-25725

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-25725
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25725.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-25725
Aliases
Published
2026-02-06T17:53:42.543Z
Modified
2026-02-07T02:35:54.458260Z
Severity
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Claude Code Has Sandbox Escape via Persistent Configuration Injection in settings.json
Details

Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25725.json",
    "cwe_ids": [
        "CWE-501",
        "CWE-668"
    ]
}
References

Affected packages

Git / github.com/anthropics/claude-code

Affected ranges

Type
GIT
Repo
https://github.com/anthropics/claude-code
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
553d6ffc3e2a2b719c501d56a062560c5ce23b54
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.1.2"
        }
    ]
}

Affected versions

v2.*
v2.0.73
v2.0.74
v2.0.76
v2.1.0
v2.1.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25725.json"