CVE-2025-52882 Overview
CVE-2025-52882 is a high-severity vulnerability affecting Claude Code IDE extensions across multiple development environments. The vulnerability allows unauthorized websocket connections from attackers when users visit malicious webpages, potentially leading to arbitrary file access, code execution, and information disclosure.
Claude Code extensions in VSCode and its forks (including Cursor, Windsurf, and VSCodium) as well as JetBrains IDEs (IntelliJ, PyCharm, Android Studio) are susceptible to this attack. The vulnerability stems from improper validation of websocket connection origins, classified under CWE-1385 (Missing Origin Validation in WebSockets).
Critical Impact
Attackers can read arbitrary files, monitor IDE activity, access file listings, and in certain scenarios execute code when users have Jupyter Notebooks open and accept malicious prompts.
Affected Products
- Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23
- Claude Code [Beta] for JetBrains IDEs versions 0.1.1 through 0.1.8
- VSCode forks including Cursor, Windsurf, and VSCodium running vulnerable extension versions
Discovery Timeline
- June 13, 2025 - Anthropic releases security patch
- June 24, 2025 - CVE-2025-52882 published to NVD
- June 26, 2025 - Last updated in NVD database
Technical Details for CVE-2025-52882
Vulnerability Analysis
This vulnerability represents a missing origin validation flaw in the WebSocket implementation used by Claude Code IDE extensions. WebSocket connections, unlike standard HTTP requests, can bypass same-origin policy protections if proper origin validation is not implemented. In this case, the Claude Code extensions fail to adequately verify the origin of incoming WebSocket connections, allowing attacker-controlled web pages to establish unauthorized connections to the extension's local WebSocket server.
The impact varies by IDE platform. In VSCode and its forks, successful exploitation enables attackers to read arbitrary files from the victim's system, enumerate files open in the IDE, receive selection and diagnostics events, and potentially execute code when users have an open Jupyter Notebook and inadvertently accept a malicious prompt. JetBrains IDE users face exposure of selection events, open file listings, and syntax error information.
Root Cause
The root cause is classified as CWE-1385: Missing Origin Validation in WebSockets. The Claude Code extension establishes a local WebSocket server for communication between the IDE and the extension's functionality. However, the implementation did not properly validate the origin header of incoming WebSocket connection requests. This oversight allows malicious web pages loaded in the user's browser to initiate WebSocket connections to the extension's local server, bypassing the intended security boundary between web content and the local development environment.
Attack Vector
The attack requires user interaction through visiting an attacker-controlled webpage while the vulnerable Claude Code extension is active in their IDE. The attack is network-accessible, meaning attackers can host malicious content on any web server. When a victim visits the malicious page, JavaScript code on that page attempts to establish a WebSocket connection to the Claude Code extension's local server. Due to the missing origin validation, this connection succeeds, granting the attacker access to extension functionality.
The attack flow proceeds as follows: the attacker crafts a webpage containing malicious JavaScript that initiates WebSocket connections to common local ports used by Claude Code. When a developer with the vulnerable extension installed visits this page, the browser executes the JavaScript, which successfully connects to the extension's WebSocket endpoint. From there, the attacker can issue commands to read files, enumerate open documents, or—in VSCode with an open Jupyter Notebook—potentially achieve code execution if the user accepts a crafted prompt.
Detection Methods for CVE-2025-52882
Indicators of Compromise
- Unexpected outbound WebSocket connections originating from IDE processes to unknown destinations
- Browser console logs showing WebSocket connections to localhost ports associated with Claude Code
- Unusual file access patterns from IDE processes accessing sensitive files outside the project scope
- Suspicious prompts appearing in Jupyter Notebooks that were not user-initiated
Detection Strategies
- Monitor for anomalous WebSocket connection attempts to local development tool ports from browser processes
- Implement network monitoring to detect connections between browser contexts and IDE extension services
- Review IDE extension logs for unexpected file access requests or command executions
- Deploy endpoint detection solutions that can correlate browser activity with local service connections
Monitoring Recommendations
- Enable verbose logging for IDE extensions to capture WebSocket connection attempts and their origins
- Configure security tools to alert on cross-process communication between browsers and development tools
- Monitor for file system access from IDE processes to directories outside normal project boundaries
- Track extension version information and alert when outdated vulnerable versions are detected
How to Mitigate CVE-2025-52882
Immediate Actions Required
- Update Claude Code for VSCode to version 1.0.24 or later immediately
- Update Claude Code [Beta] for JetBrains IDEs to version 0.1.9 or later
- Restart all affected IDEs after updating extensions to ensure the patched version is active
- Audit recent file access logs for any signs of unauthorized access during the vulnerable period
Patch Information
Anthropic released patches for this vulnerability on June 13, 2025. Claude Code includes auto-update functionality that activates when users launch the application, and extensions are also auto-updated. However, manual verification is strongly recommended.
For VSCode, Cursor, Windsurf, VSCodium, and other VSCode forks: Navigate to View → Extensions, locate "Claude Code for VSCode" among installed extensions, and verify the version is 1.0.24 or higher. Update or uninstall any prior versions, then restart the IDE.
For JetBrains IDEs (IntelliJ, PyCharm, Android Studio): Open the Plugins list, locate "Claude Code [Beta]" among installed extensions, and verify the version is 0.1.9 or higher. Update or uninstall any prior versions, then restart the IDE.
For additional details, refer to the GitHub Security Advisory GHSA-9f65-56v6-gxw7.
Workarounds
- Temporarily disable the Claude Code extension until the update can be applied
- Avoid visiting untrusted websites while the vulnerable extension is active in your IDE
- Close Jupyter Notebooks when not actively in use to reduce the code execution attack surface
- Consider using browser isolation or separate browser profiles when browsing while developing
# VSCode CLI extension update
code --uninstall-extension anthropic.claude-code
code --install-extension anthropic.claude-code@1.0.24
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
