CVE-2026-25725
Published: 06 February 2026
Summary
CVE-2026-25725 is a critical-severity Trust Boundary Violation (CWE-501) vulnerability in Anthropic Claude Code. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as APIs and Models.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Ensures sandboxed processes are isolated from host resources like the unprotected .claude/settings.json file, directly preventing the sandbox escape vulnerability.
Mandates software-enforced separation mechanisms like bubblewrap to properly constrain file creation and access across trust boundaries.
Requires enforcement of access authorizations that block sandboxed code from creating host-privileged configuration files such as settings.json.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in bubblewrap sandbox allows unprivileged code to create unprotected .claude/settings.json, inject SessionStart hooks, and escape to execute with full host privileges on restart (direct sandbox escape + priv esc).
NVD Description
Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and…
more
.claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.
Deeper analysisAI
CVE-2026-25725 affects Claude Code, an agentic coding tool, in versions prior to 2.1.2. The vulnerability stems from a flaw in the bubblewrap sandboxing mechanism, which fails to protect the .claude/settings.json configuration file when it does not exist at startup. Although the parent directory is mounted as writable and .claude/settings.local.json is explicitly protected with read-only constraints, the absence of settings.json allows it to be created without restrictions. This enables malicious code executing within the sandbox to inject persistent hooks, such as SessionStart commands, into the file. The issue is rated CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-501 (Trust Boundary Violation) and CWE-668 (Exposure of Resource to Wrong Sphere).
An attacker can exploit this vulnerability by first executing malicious code inside the sandboxed environment of Claude Code. With no privileges, user interaction, or special access required, and given the network-accessible attack vector and changed scope, exploitation allows creation of the unprotected settings.json file. Upon restarting Claude Code, the injected hooks execute with full host privileges, enabling complete compromise including high confidentiality, integrity, and availability impacts.
The GitHub security advisory (GHSA-ff64-7w26-62rf) confirms the issue has been addressed in Claude Code version 2.1.2, recommending immediate upgrade to mitigate the sandbox escape risk.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude, claude, claude, claude, claude