High severityNVD Advisory· Published Sep 10, 2025· Updated Oct 15, 2025
Claude Code vulnerable to arbitrary code execution caused by maliciously configured git email
CVE-2025-59041
Description
Claude Code is an agentic coding tool. At startup, Claude Code executed a command templated in with git config user.email. Prior to version 1.0.105, a maliciously configured user email in git could be used to trigger arbitrary code execution before a user accepted the workspace trust dialog. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to version 1.0.105 or the latest version.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@anthropic-ai/claude-codenpm | < 1.0.105 | 1.0.105 |
Affected products
1- Range: < 1.0.105
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-j4h9-wv2m-wrf7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59041ghsaADVISORY
- github.com/anthropics/claude-code/security/advisories/GHSA-j4h9-wv2m-wrf7ghsax_refsource_CONFIRMWEB
- www.npmjs.com/package/@anthropic-ai/claude-code/v/1.0.105ghsaWEB
News mentions
0No linked articles in our index yet.