Claude Code Has Sandbox Escape via Persistent Configuration Injection in settings.json
Description
Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@anthropic-ai/claude-codenpm | < 2.1.2 | 2.1.2 |
Affected products
1- Range: < 2.1.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-ff64-7w26-62rfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25725ghsaADVISORY
- github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rfghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.