Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-59041

CVE-2025-59041: Anthropic Claude Code RCE Vulnerability

CVE-2025-59041 is a remote code execution vulnerability in Anthropic Claude Code that allows malicious git configurations to execute arbitrary code before workspace trust dialogs. This article covers technical details, affected versions, and patches.

Published:

CVE-2025-59041 Overview

Claude Code is an agentic coding tool developed by Anthropic. A code injection vulnerability exists in versions prior to 1.0.105 where the application executes a command templated with git config user.email at startup. A maliciously configured user email in git could be exploited to trigger arbitrary code execution before a user accepts the workspace trust dialog. This vulnerability allows attackers to execute code without user consent, bypassing the intended security boundary of the workspace trust mechanism.

Critical Impact

Attackers can achieve arbitrary code execution on systems running vulnerable versions of Claude Code by crafting malicious git configuration values, executing code before users have the opportunity to evaluate workspace trust.

Affected Products

  • Anthropic Claude Code versions prior to 1.0.105
  • Claude Code for Node.js environments

Discovery Timeline

  • 2025-09-10 - CVE-2025-59041 published to NVD
  • 2025-10-22 - Last updated in NVD database

Technical Details for CVE-2025-59041

Vulnerability Analysis

This vulnerability is classified as CWE-94 (Improper Control of Generation of Code), commonly known as Code Injection. The flaw exists in Claude Code's startup routine where the application retrieves git configuration values and uses them in command execution without proper sanitization.

When Claude Code initializes, it queries the local git configuration to retrieve the user's email address using git config user.email. The retrieved value is then incorporated into a command template that is subsequently executed. Because the git email field can contain arbitrary user-controlled data, an attacker can craft a malicious email value that includes shell metacharacters or command injection payloads.

The vulnerability is particularly dangerous because the code execution occurs before the workspace trust dialog is presented to the user. This trust dialog is a security boundary designed to allow users to evaluate whether they want to permit Claude Code to operate in a given workspace. By triggering code execution prior to this dialog, the vulnerability completely bypasses this security control.

Root Cause

The root cause of this vulnerability is improper input validation and unsafe command construction. The application trusts the value returned by git config user.email without sanitizing or escaping shell metacharacters. Git configuration values can be set by any user with write access to their local .gitconfig file or the repository's .git/config file, making this an easily exploitable attack vector.

Attack Vector

An attacker can exploit this vulnerability through multiple scenarios:

  1. Local Attack: An attacker with access to the victim's system modifies the git user email configuration to include a malicious payload
  2. Supply Chain Attack: A malicious repository includes a .git/config file with a crafted email value that executes when Claude Code is launched in that workspace
  3. Social Engineering: An attacker convinces a user to clone a repository or modify their git configuration with malicious values

The vulnerability exploits the startup initialization process, executing attacker-controlled commands with the privileges of the user running Claude Code. Since this occurs before the workspace trust dialog, users have no opportunity to prevent the execution.

Detection Methods for CVE-2025-59041

Indicators of Compromise

  • Unusual or suspicious values in git configuration files, particularly the user.email field containing shell metacharacters such as backticks, semicolons, or pipes
  • Unexpected process spawning during Claude Code startup
  • Modified .gitconfig files with payloads in configuration values
  • Evidence of command execution prior to workspace trust dialog acknowledgment

Detection Strategies

  • Monitor git configuration files for modifications containing shell metacharacters or injection patterns
  • Implement file integrity monitoring on .gitconfig and repository .git/config files
  • Review process execution logs for unexpected child processes spawned by Claude Code during initialization
  • Deploy endpoint detection rules that alert on command injection patterns in configuration files

Monitoring Recommendations

  • Enable logging for Claude Code application startup events and configuration loading
  • Monitor for anomalous process trees where Claude Code spawns unexpected child processes
  • Implement alerts for git configuration changes containing suspicious characters such as $(), backticks, or semicolons
  • Review system logs for evidence of code execution from git configuration context

How to Mitigate CVE-2025-59041

Immediate Actions Required

  • Update Claude Code to version 1.0.105 or later immediately
  • Review git configuration files on development systems for suspicious values in the user.email field
  • Audit any repositories that may have been cloned from untrusted sources for malicious .git/config entries
  • Users on standard Claude Code auto-update should verify they have received the automatic fix

Patch Information

Anthropic has released version 1.0.105 of Claude Code which addresses this vulnerability. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates should update to version 1.0.105 or the latest available version. For detailed information about the fix, refer to the GitHub Security Advisory.

Workarounds

  • Verify auto-update is enabled to ensure timely receipt of security patches
  • Review and sanitize git configuration files before using Claude Code in new workspaces
  • Avoid cloning repositories from untrusted sources until the update is applied
  • Consider temporarily disabling Claude Code on systems where immediate updates cannot be applied
bash
# Verify Claude Code version and check git configuration
# Check current Claude Code version
claude --version

# Review git user.email configuration for suspicious content
git config --global user.email
git config user.email

# Look for shell metacharacters in git config
git config --list | grep -E '[\$\`\;\|]'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne