CVE-2026-25724 Overview
Claude Code, an agentic coding tool developed by Anthropic, contains a security vulnerability in versions prior to 2.1.7 that allows unauthorized file access through symbolic link exploitation. The application fails to strictly enforce deny rules configured in settings.json when accessing files through symbolic links, potentially allowing read access to explicitly restricted files.
Critical Impact
Attackers can bypass file access restrictions by leveraging symbolic links to read sensitive files that were explicitly denied in Claude Code's configuration, such as /etc/passwd or other protected system files.
Affected Products
- Anthropic Claude Code versions prior to 2.1.7
- Claude Code for Node.js (all platforms)
Discovery Timeline
- 2026-02-06 - CVE CVE-2026-25724 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-25724
Vulnerability Analysis
This vulnerability is classified as CWE-61 (UNIX Symbolic Link Following), commonly known as a symlink attack. The flaw exists in Claude Code's file access control mechanism, specifically in how it evaluates deny rules against file paths.
When a user configures Claude Code to deny access to specific files via the settings.json configuration file, the application correctly blocks direct access attempts to those paths. However, the access control logic fails to resolve symbolic links before evaluating deny rules, creating a bypass condition.
The vulnerability requires user interaction and specific preconditions to exploit: an attacker must have the ability to create symbolic links in a location accessible to Claude Code, and the user must have explicitly denied access to a sensitive file while still allowing Claude Code access to the directory containing the symlink.
Root Cause
The root cause is improper validation of file paths before access control enforcement. The deny rule matching occurs against the literal path requested rather than the canonical, resolved path. This allows symbolic links to evade detection since their path differs from the target file's path that was explicitly denied.
The file access control mechanism should resolve all symbolic links and normalize paths to their canonical form before comparing against the deny list. The absence of this canonicalization step creates the bypass opportunity.
Attack Vector
The attack vector requires network access with user interaction. An attacker would need to:
- Identify a file that is explicitly denied in the target's Claude Code configuration
- Create a symbolic link pointing to the restricted file in a location Claude Code can access
- Request Claude Code to read the symbolic link path instead of the denied file path directly
For example, if /etc/passwd is denied but /home/user/projects/ is accessible, creating a symlink at /home/user/projects/passwd_link pointing to /etc/passwd would allow Claude Code to read the restricted file's contents through the link.
The vulnerability mechanism involves symlink resolution bypassing the deny rule check. See the GitHub Security Advisory for complete technical details.
Detection Methods for CVE-2026-25724
Indicators of Compromise
- Presence of suspicious symbolic links in project directories pointing to system files
- Claude Code access logs showing reads of symlinked paths that resolve to sensitive files
- Unusual file read patterns targeting paths outside normal project scope
Detection Strategies
- Monitor for symbolic link creation in directories accessible to Claude Code
- Audit Claude Code access logs for file reads that resolve to denied paths after symlink resolution
- Implement file integrity monitoring on sensitive system files to detect unauthorized access
Monitoring Recommendations
- Enable verbose logging in Claude Code to track all file access attempts
- Configure security monitoring tools to alert on symlink creation targeting sensitive directories
- Review settings.json deny rules regularly to ensure comprehensive coverage
- Monitor for anomalous file access patterns in Claude Code session logs
How to Mitigate CVE-2026-25724
Immediate Actions Required
- Upgrade Claude Code to version 2.1.7 or later immediately
- Audit existing project directories for suspicious symbolic links
- Review and strengthen deny rules in settings.json to include common symlink attack patterns
- Consider using absolute canonical paths in deny rules where possible
Patch Information
Anthropic has released version 2.1.7 of Claude Code which addresses this vulnerability. The patch implements proper symbolic link resolution before deny rule evaluation, ensuring that access control decisions are made against the canonical target path rather than the symlink path.
Users should update via their package manager:
npm update @anthropic/claude-code
For additional details, refer to the GitHub Security Advisory.
Workarounds
- Deny access to directories that could contain malicious symlinks rather than individual files
- Remove write permissions from directories accessible to Claude Code to prevent symlink creation
- Use file system configurations that prevent symbolic link following (e.g., O_NOFOLLOW flags where applicable)
- Implement additional access controls at the operating system level for sensitive files
# Example: Restrict symlink creation in project directories
chmod o-w /path/to/project/directory
# Example: Check for existing symlinks pointing to sensitive files
find /path/to/projects -type l -exec ls -la {} \; 2>/dev/null | grep -E "(passwd|shadow|ssh)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
