Edbr

**Name of the Vulnerable Software and Affected Versions** Claude Code versions prior to 2.1.2 **Description** Claude Code, an agentic coding tool, had a flaw in its bubblewrap sandboxing mechanism. The mechanism did not adequately protect the `.claude/settings.json` configuration file if it was absent at startup. The parent directory was writable, and `.claude/settings.local.json` was read-only, but `.claude/settings.json` lacked protection when missing. This allowed malicious code within the sandbox to create the file and inject persistent hooks, like `SessionStart` commands, which would then execute with host privileges upon restarting Claude Code. This issue affects container-based sandbox environments and was observed in similar tools from Google and OpenAI. **Recommendations** Update to Claude Code version 2.1.2 or later.