CVE-2025-59536 Overview
Claude Code, an agentic coding tool developed by Anthropic, is affected by a Code Injection vulnerability (CWE-94) in versions prior to 1.0.111. The vulnerability exists due to a bug in the startup trust dialog implementation that allows malicious code execution before user consent is granted.
Critical Impact
Attackers can achieve arbitrary code execution by tricking users into starting Claude Code in a directory containing malicious project files, bypassing the intended trust dialog security mechanism.
Affected Products
- Anthropic Claude Code versions prior to 1.0.111
- Claude Code for Node.js environments
Discovery Timeline
- 2025-10-03 - CVE-2025-59536 published to NVD
- 2025-10-23 - Last updated in NVD database
Technical Details for CVE-2025-59536
Vulnerability Analysis
This Code Injection vulnerability affects the startup trust dialog implementation in Claude Code. The security flaw allows the execution of code contained within a project directory before the user has explicitly accepted the startup trust dialog, effectively bypassing the intended security control designed to prevent untrusted code execution.
The vulnerability requires user interaction—specifically, the user must launch Claude Code while in an untrusted directory containing malicious code. This attack scenario is particularly concerning for developers who may navigate to unfamiliar repositories or cloned projects without first verifying their contents.
Root Cause
The root cause of this vulnerability lies in a bug within the startup trust dialog implementation. The trust dialog is designed to serve as a security gate that requires explicit user consent before allowing project code to execute. However, due to this implementation flaw, the execution of project code occurs before the trust dialog completes its authorization check, creating a race condition that attackers can exploit.
Attack Vector
The attack vector involves social engineering combined with the technical vulnerability. An attacker would need to:
- Create or compromise a code repository with malicious payload files
- Convince a target user to clone or download the repository
- Have the user start Claude Code while in the malicious project directory
Once Claude Code is started in the untrusted directory, the malicious code executes automatically before the trust dialog can prevent it. The network-accessible nature of this attack (via malicious repositories) combined with the requirement for user interaction characterizes the attack surface.
The vulnerability mechanism involves the trust dialog's timing issue—project code is evaluated or executed during the initialization phase before the blocking trust dialog completes. This allows embedded malicious code to run with the same privileges as the Claude Code process.
Detection Methods for CVE-2025-59536
Indicators of Compromise
- Unexpected process spawning from Claude Code application instances
- Unusual network connections initiated during Claude Code startup
- Suspicious file system modifications occurring before trust dialog interaction
- Process execution logs showing code execution prior to user confirmation events
Detection Strategies
- Monitor Claude Code version numbers across development environments to identify instances running versions below 1.0.111
- Implement endpoint detection rules for abnormal child process creation from Claude Code
- Review application logs for startup sequence anomalies indicating premature code execution
- Deploy file integrity monitoring on development workstations to detect unauthorized changes
Monitoring Recommendations
- Enable verbose logging for Claude Code application startup events
- Configure security tooling to alert on code execution patterns associated with trust dialog bypass
- Establish baseline behavior profiles for Claude Code to identify deviations
- Monitor for repository clone operations followed by immediate Claude Code launches in those directories
How to Mitigate CVE-2025-59536
Immediate Actions Required
- Update Claude Code to version 1.0.111 or later immediately
- Verify auto-update functionality is enabled for Claude Code installations
- Audit development environments to identify vulnerable versions
- Educate developers about the risks of starting Claude Code in untrusted directories
Patch Information
Anthropic has released version 1.0.111 which resolves this vulnerability. Users with standard Claude Code auto-update enabled will have received this fix automatically. Users performing manual updates should update to the latest version immediately.
For additional details, refer to the GitHub Security Advisory GHSA-4fgq-fpq9-mr3g.
Workarounds
- Do not start Claude Code in untrusted or unfamiliar project directories until the update is applied
- Always verify the contents of cloned repositories before opening them with development tools
- Consider running Claude Code in isolated environments when working with untrusted code
- Implement organizational policies requiring trust verification before opening external projects
# Verify Claude Code version
claude --version
# If version is below 1.0.111, update immediately
# For npm-based installations:
npm update @anthropic-ai/claude-code
# Verify the update was successful
claude --version
# Expected: 1.0.111 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
