Cyber Resilience

CVE-2026-25725

High

Published: 06 February 2026

Published
06 February 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25725 is a high-severity Trust Boundary Violation (CWE-501) vulnerability in Anthropic Claude Code. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-39 (Process Isolation).

Deeper analysis

CVE-2026-25725 affects Claude Code, an agentic coding tool, in versions prior to 2.1.2. The vulnerability stems from a flaw in the bubblewrap sandboxing mechanism, which fails to protect the .claude/settings.json configuration file when it does not exist at startup. Although the parent directory is mounted as writable and .claude/settings.local.json is explicitly protected with read-only constraints, the absence of settings.json allows it to be created without restrictions. This enables malicious code executing within the sandbox to inject persistent hooks, such as SessionStart commands, into the file. The issue is rated CVSS 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-501 (Trust Boundary Violation) and CWE-668 (Exposure of Resource to Wrong Sphere).

An attacker can exploit this vulnerability by first executing malicious code inside the sandboxed environment of Claude Code. With no privileges, user interaction, or special access required, and given the network-accessible attack vector and changed scope, exploitation allows creation of the unprotected settings.json file. Upon restarting Claude Code, the injected hooks execute with full host privileges, enabling complete compromise including high confidentiality, integrity, and availability impacts.

The GitHub security advisory (GHSA-ff64-7w26-62rf) confirms the issue has been addressed in Claude Code version 2.1.2, recommending immediate upgrade to mitigate the sandbox escape risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and…

more

.claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: claude

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Vulnerability in bubblewrap sandbox allows unprivileged code to create unprotected .claude/settings.json, inject SessionStart hooks, and escape to execute with full host privileges on restart (direct sandbox escape + priv esc).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39861Same product: Anthropic Claude Code
CVE-2026-24887Same product: Anthropic Claude Code
CVE-2025-58764Same product: Anthropic Claude Code
CVE-2026-40068Same product: Anthropic Claude Code
CVE-2026-24052Same product: Anthropic Claude Code
CVE-2025-59041Same product: Anthropic Claude Code
CVE-2025-65099Same product: Anthropic Claude Code
CVE-2026-33068Same product: Anthropic Claude Code
CVE-2025-64755Same product: Anthropic Claude Code
CVE-2025-54794Same product: Anthropic Claude Code

Affected Assets

anthropic
claude code
≤ 2.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Ensures sandboxed processes are isolated from host resources like the unprotected .claude/settings.json file, directly preventing the sandbox escape vulnerability.

prevent

Mandates software-enforced separation mechanisms like bubblewrap to properly constrain file creation and access across trust boundaries.

prevent

Requires enforcement of access authorizations that block sandboxed code from creating host-privileged configuration files such as settings.json.

References