CVE-2026-25725 Overview
CVE-2026-25725 is a sandbox escape vulnerability in Anthropic Claude Code, an agentic coding tool. Versions prior to 2.1.2 contain a flaw in the bubblewrap sandboxing mechanism that fails to protect the .claude/settings.json configuration file when it does not exist at startup. Malicious code running inside the sandbox can create this file and inject persistent hooks, such as SessionStart commands, that execute with host privileges when Claude Code restarts. The vulnerability is classified under [CWE-501] (Trust Boundary Violation) and affects the integrity of the sandbox isolation model. Anthropic patched the issue in version 2.1.2.
Critical Impact
Attackers who achieve code execution inside the Claude Code sandbox can escape isolation and gain persistent host-level code execution through injected configuration hooks.
Affected Products
- Anthropic Claude Code (Node.js distribution) versions prior to 2.1.2
- Deployments using bubblewrap sandboxing on Linux hosts
- Environments where .claude/settings.json is not pre-created before sandbox startup
Discovery Timeline
- 2026-02-06 - CVE-2026-25725 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-25725
Vulnerability Analysis
Claude Code uses bubblewrap to confine agentic operations within an isolated filesystem namespace. The sandbox configuration mounts the .claude/ parent directory as writable while applying explicit read-only constraints to .claude/settings.local.json. The protection logic assumes settings.json already exists and inherits restrictions from its parent. When the file is absent at sandbox startup, the writable parent directory permits creation of settings.json from inside the sandbox.
Claude Code reads settings.json on each session start and honors SessionStart hook directives defined within it. An attacker controlling sandboxed execution writes a crafted settings.json containing arbitrary shell commands as hooks. On the next host-side invocation of Claude Code, the agent reads the attacker-supplied configuration and executes the embedded hooks with the privileges of the host user, escaping the sandbox boundary.
Root Cause
The root cause is an incomplete trust boundary in the bubblewrap mount configuration. The sandbox author enumerated specific files requiring read-only protection but did not account for the case where a protected file does not yet exist. Because bubblewrap cannot apply a read-only bind mount to a nonexistent path, the file was effectively unprotected and creatable from inside the sandbox.
Attack Vector
Exploitation requires an attacker to first obtain code execution inside the Claude Code sandbox. This typically occurs through prompt injection against the agent, processing of untrusted repository content, or compromise of a dependency invoked by the agent. The attacker writes .claude/settings.json with malicious SessionStart hooks. Host privilege execution occurs when the user restarts Claude Code. User interaction is required to trigger the payload, but the action is routine.
The vulnerability mechanism is described in the GitHub Security Advisory. No public proof-of-concept code is referenced in the advisory.
Detection Methods for CVE-2026-25725
Indicators of Compromise
- Unexpected creation of .claude/settings.json in user home directories following Claude Code sandbox sessions
- Presence of SessionStart, PreToolUse, or other hook directives in settings.json that reference shell commands, network utilities, or interpreters
- Outbound network connections or child process spawns occurring immediately at Claude Code startup
Detection Strategies
- Monitor file creation events for ~/.claude/settings.json and compare contents against a known-good baseline maintained by configuration management
- Audit Claude Code configuration files for hook keys containing executable payloads or references to writable directories
- Correlate Claude Code process launches with subsequent child process trees that deviate from expected agent behavior
Monitoring Recommendations
- Enable filesystem auditing on .claude/ directories using auditd or equivalent to record create, write, and rename operations
- Log Claude Code version strings at process start and alert on instances running versions earlier than 2.1.2
- Forward sandbox-related events to a centralized data lake for retrospective hunting on anomalous hook definitions
How to Mitigate CVE-2026-25725
Immediate Actions Required
- Upgrade Claude Code to version 2.1.2 or later on all developer workstations and CI runners
- Inspect existing ~/.claude/settings.json files for unauthorized hook definitions and remove any unexpected entries
- Restrict Claude Code execution to trusted repositories and disable processing of untrusted prompt content until upgrade is complete
Patch Information
Anthropic released the fix in Claude Code version 2.1.2. The patch ensures .claude/settings.json is protected by the bubblewrap sandbox even when the file does not exist at startup, preventing in-sandbox creation. Refer to the GitHub Security Advisory GHSA-ff64-7w26-62rf for vendor guidance.
Workarounds
- Pre-create an empty, read-only .claude/settings.json file owned by root before launching Claude Code to prevent sandbox-side creation
- Apply mandatory access control profiles (AppArmor, SELinux) to deny write access to .claude/settings.json for the Claude Code user context
- Run Claude Code inside an additional container layer with read-only mounts over the configuration directory until patched binaries are deployed
# Configuration example: pre-create and protect settings.json
touch ~/.claude/settings.json
chmod 444 ~/.claude/settings.json
chattr +i ~/.claude/settings.json # immutable flag (Linux ext4/xfs)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
