CVE-2026-25725

Name of the Vulnerable Software and Affected Versions Claude Code versions prior to 2.1.2

Description Claude Code, an agentic coding tool, had a flaw in its bubblewrap sandboxing mechanism. The mechanism did not adequately protect the .claude/settings.json configuration file if it was absent at startup. The parent directory was writable, and .claude/settings.local.json was read-only, but .claude/settings.json lacked protection when missing. This allowed malicious code within the sandbox to create the file and inject persistent hooks, like SessionStart commands, which would then execute with host privileges upon restarting Claude Code. This issue affects container-based sandbox environments and was observed in similar tools from Google and OpenAI.

Recommendations Update to Claude Code version 2.1.2 or later.