The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-59041

CVE-2025-59041: Anthropic Claude Code RCE Vulnerability

CVE-2025-59041 is a remote code execution vulnerability in Anthropic Claude Code that allows malicious git configurations to execute arbitrary code before workspace trust dialogs. This article covers technical details, affected versions, and patches.

Published: March 11, 2026

CVE-2025-59041 Overview

Claude Code is an agentic coding tool developed by Anthropic. A code injection vulnerability exists in versions prior to 1.0.105 where the application executes a command templated with git config user.email at startup. A maliciously configured user email in git could be exploited to trigger arbitrary code execution before a user accepts the workspace trust dialog. This vulnerability allows attackers to execute code without user consent, bypassing the intended security boundary of the workspace trust mechanism.

Critical Impact

Attackers can achieve arbitrary code execution on systems running vulnerable versions of Claude Code by crafting malicious git configuration values, executing code before users have the opportunity to evaluate workspace trust.

Affected Products

  • Anthropic Claude Code versions prior to 1.0.105
  • Claude Code for Node.js environments

Discovery Timeline

  • 2025-09-10 - CVE-2025-59041 published to NVD
  • 2025-10-22 - Last updated in NVD database

Technical Details for CVE-2025-59041

Vulnerability Analysis

This vulnerability is classified as CWE-94 (Improper Control of Generation of Code), commonly known as Code Injection. The flaw exists in Claude Code's startup routine where the application retrieves git configuration values and uses them in command execution without proper sanitization.

When Claude Code initializes, it queries the local git configuration to retrieve the user's email address using git config user.email. The retrieved value is then incorporated into a command template that is subsequently executed. Because the git email field can contain arbitrary user-controlled data, an attacker can craft a malicious email value that includes shell metacharacters or command injection payloads.

The vulnerability is particularly dangerous because the code execution occurs before the workspace trust dialog is presented to the user. This trust dialog is a security boundary designed to allow users to evaluate whether they want to permit Claude Code to operate in a given workspace. By triggering code execution prior to this dialog, the vulnerability completely bypasses this security control.

Root Cause

The root cause of this vulnerability is improper input validation and unsafe command construction. The application trusts the value returned by git config user.email without sanitizing or escaping shell metacharacters. Git configuration values can be set by any user with write access to their local .gitconfig file or the repository's .git/config file, making this an easily exploitable attack vector.

Attack Vector

An attacker can exploit this vulnerability through multiple scenarios:

  1. Local Attack: An attacker with access to the victim's system modifies the git user email configuration to include a malicious payload
  2. Supply Chain Attack: A malicious repository includes a .git/config file with a crafted email value that executes when Claude Code is launched in that workspace
  3. Social Engineering: An attacker convinces a user to clone a repository or modify their git configuration with malicious values

The vulnerability exploits the startup initialization process, executing attacker-controlled commands with the privileges of the user running Claude Code. Since this occurs before the workspace trust dialog, users have no opportunity to prevent the execution.

Detection Methods for CVE-2025-59041

Indicators of Compromise

  • Unusual or suspicious values in git configuration files, particularly the user.email field containing shell metacharacters such as backticks, semicolons, or pipes
  • Unexpected process spawning during Claude Code startup
  • Modified .gitconfig files with payloads in configuration values
  • Evidence of command execution prior to workspace trust dialog acknowledgment

Detection Strategies

  • Monitor git configuration files for modifications containing shell metacharacters or injection patterns
  • Implement file integrity monitoring on .gitconfig and repository .git/config files
  • Review process execution logs for unexpected child processes spawned by Claude Code during initialization
  • Deploy endpoint detection rules that alert on command injection patterns in configuration files

Monitoring Recommendations

  • Enable logging for Claude Code application startup events and configuration loading
  • Monitor for anomalous process trees where Claude Code spawns unexpected child processes
  • Implement alerts for git configuration changes containing suspicious characters such as $(), backticks, or semicolons
  • Review system logs for evidence of code execution from git configuration context

How to Mitigate CVE-2025-59041

Immediate Actions Required

  • Update Claude Code to version 1.0.105 or later immediately
  • Review git configuration files on development systems for suspicious values in the user.email field
  • Audit any repositories that may have been cloned from untrusted sources for malicious .git/config entries
  • Users on standard Claude Code auto-update should verify they have received the automatic fix

Patch Information

Anthropic has released version 1.0.105 of Claude Code which addresses this vulnerability. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates should update to version 1.0.105 or the latest available version. For detailed information about the fix, refer to the GitHub Security Advisory.

Workarounds

  • Verify auto-update is enabled to ensure timely receipt of security patches
  • Review and sanitize git configuration files before using Claude Code in new workspaces
  • Avoid cloning repositories from untrusted sources until the update is applied
  • Consider temporarily disabling Claude Code on systems where immediate updates cannot be applied
bash
# Verify Claude Code version and check git configuration
# Check current Claude Code version
claude --version

# Review git user.email configuration for suspicious content
git config --global user.email
git config user.email

# Look for shell metacharacters in git config
git config --list | grep -E '[\$\`\;\|]'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechAnthropic Claude Code
  • SeverityHIGH
  • CVSS Score8.7
  • EPSS Probability0.15%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityHigh
  • AvailabilityHigh
  • CWE References
  • CWE-94
  • Vendor Resources
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2025-66032: Anthropic Claude Code RCE Vulnerability
  • CVE-2025-65099: Anthropic Claude Code RCE Vulnerability
  • CVE-2025-58764: Anthropic Claude Code RCE Vulnerability
  • CVE-2025-54795: Anthropic Claude Code RCE Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English