npm package

@anthropic-ai/claude-code

pkg:npm/%40anthropic-ai/claude-code

Vulnerabilities (24)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-40068	Hig	8.8	>= 2.1.63, < 2.1.84	2.1.84	May 5, 2026	In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted,
CVE-2026-39861	Cri	10.0	< 2.1.64	2.1.64	Apr 21, 2026	Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed proce
CVE-2026-35603	Hig	7.3	< 2.1.75	2.1.75	Apr 17, 2026	Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData direc
CVE-2026-33068		—	< 2.1.53	2.1.53	Mar 20, 2026	Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set p
CVE-2026-25725		—	< 2.1.2	2.1.2	Feb 6, 2026	Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/se
CVE-2026-25724		—	< 2.1.7	2.1.7	Feb 6, 2026	Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code
CVE-2026-25723		—	< 2.0.55	2.0.55	Feb 6, 2026	Claude Code is an agentic coding tool. Prior to version 2.0.55, Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories lik
CVE-2026-25722		—	< 2.0.57	2.0.57	Feb 6, 2026	Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to bypa
CVE-2026-24887		—	< 2.0.72	2.0.72	Feb 3, 2026	Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to
CVE-2026-24053		—	< 2.0.74	2.0.74	Feb 3, 2026	Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting
CVE-2026-24052		—	< 1.0.111	1.0.111	Feb 3, 2026	Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org,
CVE-2026-21852		—	< 2.0.65	2.0.65	Jan 21, 2026	Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings
CVE-2025-66032		—	< 1.0.93	1.0.93	Dec 3, 2025	Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability
CVE-2025-64755		—	< 2.0.31	2.0.31	Nov 21, 2025	Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. This issue has been patched in version 2.0.31.
CVE-2025-65099		—	< 1.0.39	1.0.39	Nov 19, 2025	Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would h
CVE-2025-59829		—	< 1.0.120	1.0.120	Oct 3, 2025	Claude Code is an agentic coding tool. Versions below 1.0.120 failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude Code had access to a symlink pointing to that file, it was possible for Claude Cod
CVE-2025-59536		—	< 1.0.111	1.0.111	Oct 3, 2025	Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploit
CVE-2025-59828		—	< 1.0.39	1.0.39	Sep 24, 2025	Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins would be ex
CVE-2025-59041		—	< 1.0.105	1.0.105	Sep 10, 2025	Claude Code is an agentic coding tool. At startup, Claude Code executed a command templated in with `git config user.email`. Prior to version 1.0.105, a maliciously configured user email in git could be used to trigger arbitrary code execution before a user accepted the workspace
CVE-2025-58764		—	< 1.0.105	1.0.105	Sep 10, 2025	Claude Code is an agentic coding tool. Due to an error in command parsing, versions prior to 1.0.105 were vulnerable to a bypass of the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted con

CVE-2026-40068HigMay 5, 2026
affected >= 2.1.63, < 2.1.84fixed 2.1.84
In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted,
CVE-2026-39861CriApr 21, 2026
affected < 2.1.64fixed 2.1.64
Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed proce
CVE-2026-35603HigApr 17, 2026
affected < 2.1.75fixed 2.1.75
Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData direc
CVE-2026-33068Mar 20, 2026
affected < 2.1.53fixed 2.1.53
Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set p
CVE-2026-25725Feb 6, 2026
affected < 2.1.2fixed 2.1.2
Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/se
CVE-2026-25724Feb 6, 2026
affected < 2.1.7fixed 2.1.7
Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code
CVE-2026-25723Feb 6, 2026
affected < 2.0.55fixed 2.0.55
Claude Code is an agentic coding tool. Prior to version 2.0.55, Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories lik
CVE-2026-25722Feb 6, 2026
affected < 2.0.57fixed 2.0.57
Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to bypa
CVE-2026-24887Feb 3, 2026
affected < 2.0.72fixed 2.0.72
Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to
CVE-2026-24053Feb 3, 2026
affected < 2.0.74fixed 2.0.74
Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting
CVE-2026-24052Feb 3, 2026
affected < 1.0.111fixed 1.0.111
Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org,
CVE-2026-21852Jan 21, 2026
affected < 2.0.65fixed 2.0.65
Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings
CVE-2025-66032Dec 3, 2025
affected < 1.0.93fixed 1.0.93
Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability
CVE-2025-64755Nov 21, 2025
affected < 2.0.31fixed 2.0.31
Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. This issue has been patched in version 2.0.31.
CVE-2025-65099Nov 19, 2025
affected < 1.0.39fixed 1.0.39
Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would h
CVE-2025-59829Oct 3, 2025
affected < 1.0.120fixed 1.0.120
Claude Code is an agentic coding tool. Versions below 1.0.120 failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude Code had access to a symlink pointing to that file, it was possible for Claude Cod
CVE-2025-59536Oct 3, 2025
affected < 1.0.111fixed 1.0.111
Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploit
CVE-2025-59828Sep 24, 2025
affected < 1.0.39fixed 1.0.39
Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins would be ex
CVE-2025-59041Sep 10, 2025
affected < 1.0.105fixed 1.0.105
Claude Code is an agentic coding tool. At startup, Claude Code executed a command templated in with `git config user.email`. Prior to version 1.0.105, a maliciously configured user email in git could be used to trigger arbitrary code execution before a user accepted the workspace
CVE-2025-58764Sep 10, 2025
affected < 1.0.105fixed 1.0.105
Claude Code is an agentic coding tool. Due to an error in command parsing, versions prior to 1.0.105 were vulnerable to a bypass of the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted con

Page 1 of 2