CVE-2026-25725: Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to p
criticalvulnerabilityLLM-Specific
security
Summary
Claude Code, a tool that uses AI to help write software, had a security flaw in versions before 2.1.2 where its bubblewrap sandboxing mechanism (a security container that isolates code) failed to protect a settings file called .claude/settings.json if it didn't already exist. This allowed malicious code running inside the sandbox to create this file and add persistent hooks (startup commands that execute automatically), which would then run with elevated host privileges when Claude Code restarted.
Solution / Mitigation
This issue has been patched in version 2.1.2.
Vulnerability Details
CVSS Score
10(critical)
EPSS (30-day exploit probability)
EPSS: 0.1%
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Anthropic
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-25725
First tracked: February 15, 2026 at 08:52 PM
Classified by LLM (prompt v3) · confidence: 95%