Cantina_Xyz

**Name of the Vulnerable Software and Affected Versions** Claude Code versions prior to 2.1.53 **Description** Claude Code is an agentic coding tool that experienced a loading order issue in its settings loader. The software resolved the permission mode from settings files, such as the repository-controlled `.claude/settings.json`, before determining if the workspace trust confirmation dialog should be displayed. A malicious repository could set the `permissions.defaultMode` variable to `bypassPermissions` within its committed `.claude/settings.json` file, causing the trust dialog to be silently skipped upon the first time the repository is opened. This allows a user to be placed into a permissive mode without explicit consent, potentially enabling an attacker-controlled repository to achieve tool execution, file system access, and command execution. **Recommendations** Update to version 2.1.53 or later. As a temporary mitigation, review the `.claude/settings.json` file in unfamiliar repositories to ensure the `permissions.defaultMode` variable is not set to `bypassPermissions` before opening them.