CVE-2025-52882: CWE-1385: Missing Origin Validation in WebSockets in anthropics claude-code
Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 are vulnerable. For Jetbrains IDE plugins, Claude Code [beta] versions 0.1.1 through 0.1.8 are vulnerable. In VSCode (and forks), exploitation would allow an attacker to read arbitrary files, see the list of files open in the IDE, get selection and diagnostics events from the IDE, or execute code in limited situations where a user has an open Jupyter Notebook and accepts a malicious prompt. In JetBrains IDEs, an attacker could get selection events, a list of open files, and a list of syntax errors. Claude released a patch for this issue on June 13th, 2025. Although Claude Code auto-updates when a user launch it and auto-updates the extensions, users should take the following steps, though the exact steps depend on one's integrated development environment (IDE). For VSCode, Cursor, Windsurf, VSCodium, and other VSCode forks, check the extension Claude Code for VSCode. Open the list of Extensions (View->Extensions), look for Claude Code for VSCode among installed extensions, update or uninstall any version prior to 1.0.24, and restart the IDE. For JetBrains IDEs including IntelliJ, PyCharm, and Android Studio, check the plugin Claude Code [Beta]. Open the Plugins list, look for Claude Code [Beta] among installed extensions, update or uninstall any version prior to 0.1.9, and restart the IDE.
AI Analysis
Technical Summary
CVE-2025-52882 is a high-severity vulnerability affecting the Claude Code agentic coding tool extensions integrated into popular IDEs such as Visual Studio Code (VSCode) and its forks (Cursor, Windsurf, VSCodium), as well as JetBrains IDEs (IntelliJ, PyCharm, Android Studio). The root cause is a missing origin validation in the WebSocket implementation used by these extensions, classified under CWE-1385. This flaw allows attacker-controlled websites to establish unauthorized WebSocket connections to the vulnerable IDE extensions when a user visits a malicious webpage. In VSCode and its forks, exploitation enables an attacker to read arbitrary files accessible to the IDE, enumerate open files, capture selection and diagnostic events, and under limited conditions—specifically when a user has an open Jupyter Notebook and accepts a malicious prompt—execute arbitrary code. For JetBrains IDEs, the attacker can obtain selection events, lists of open files, and syntax error information, which could aid further targeted attacks or information leakage. The vulnerability affects Claude Code for VSCode versions 0.2.116 through 1.0.23 and JetBrains plugin beta versions 0.1.1 through 0.1.8. Claude released patches on June 13, 2025, addressing the issue by implementing proper origin validation to prevent unauthorized WebSocket connections. The vulnerability has a CVSS 4.0 base score of 8.8, reflecting its high impact on confidentiality and integrity, with network attack vector, low attack complexity, and requiring user interaction (visiting a malicious webpage and potentially accepting a prompt). No known exploits are currently reported in the wild. Users must update or uninstall vulnerable versions and restart their IDEs to mitigate the risk.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for software development teams relying on the affected IDEs and Claude Code extensions. The ability for attackers to read arbitrary files and monitor IDE activities can lead to leakage of sensitive source code, intellectual property, and potentially credentials or configuration files stored or accessed within the IDE environment. The limited code execution capability in VSCode when Jupyter Notebooks are open further elevates the risk, potentially allowing attackers to execute malicious code within the developer's environment, leading to broader compromise. This can disrupt development workflows, cause data breaches, and facilitate supply chain attacks if compromised code is pushed to production. Given the widespread use of VSCode and JetBrains IDEs across European tech companies, research institutions, and government agencies, the vulnerability could impact a broad spectrum of sectors. The attack vector—via malicious webpages—means that phishing or drive-by attacks could be leveraged, increasing the threat surface. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate it, as public disclosure and patch availability may prompt attackers to develop exploits. Organizations with remote or hybrid workforces may be particularly vulnerable due to increased exposure to web-based threats.
Mitigation Recommendations
1. Immediate action should be to verify the versions of Claude Code extensions installed in all developer IDEs (VSCode, Cursor, Windsurf, VSCodium, IntelliJ, PyCharm, Android Studio). 2. Update the Claude Code for VSCode extension to version 1.0.24 or later and the JetBrains Claude Code [Beta] plugin to version 0.1.9 or later. If updates are not feasible immediately, uninstall the vulnerable extensions to eliminate exposure. 3. Restart the IDE after updating or uninstalling to ensure the patch takes effect. 4. Implement network-level controls to restrict outbound WebSocket connections from developer machines to untrusted domains, reducing the risk of unauthorized connections initiated by malicious webpages. 5. Educate developers about the risks of visiting untrusted websites while working in their IDEs, especially when using extensions that interact with external services. 6. Monitor IDE logs and network traffic for unusual WebSocket connections or file access patterns that could indicate exploitation attempts. 7. For organizations using Jupyter Notebooks within VSCode, enforce policies to avoid accepting prompts from untrusted sources and consider disabling notebook features if not required. 8. Incorporate vulnerability scanning and patch management processes specifically targeting development tools and their extensions to ensure timely updates in the future.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Ireland, Belgium, Poland
CVE-2025-52882: CWE-1385: Missing Origin Validation in WebSockets in anthropics claude-code
Description
Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 are vulnerable. For Jetbrains IDE plugins, Claude Code [beta] versions 0.1.1 through 0.1.8 are vulnerable. In VSCode (and forks), exploitation would allow an attacker to read arbitrary files, see the list of files open in the IDE, get selection and diagnostics events from the IDE, or execute code in limited situations where a user has an open Jupyter Notebook and accepts a malicious prompt. In JetBrains IDEs, an attacker could get selection events, a list of open files, and a list of syntax errors. Claude released a patch for this issue on June 13th, 2025. Although Claude Code auto-updates when a user launch it and auto-updates the extensions, users should take the following steps, though the exact steps depend on one's integrated development environment (IDE). For VSCode, Cursor, Windsurf, VSCodium, and other VSCode forks, check the extension Claude Code for VSCode. Open the list of Extensions (View->Extensions), look for Claude Code for VSCode among installed extensions, update or uninstall any version prior to 1.0.24, and restart the IDE. For JetBrains IDEs including IntelliJ, PyCharm, and Android Studio, check the plugin Claude Code [Beta]. Open the Plugins list, look for Claude Code [Beta] among installed extensions, update or uninstall any version prior to 0.1.9, and restart the IDE.
AI-Powered Analysis
Technical Analysis
CVE-2025-52882 is a high-severity vulnerability affecting the Claude Code agentic coding tool extensions integrated into popular IDEs such as Visual Studio Code (VSCode) and its forks (Cursor, Windsurf, VSCodium), as well as JetBrains IDEs (IntelliJ, PyCharm, Android Studio). The root cause is a missing origin validation in the WebSocket implementation used by these extensions, classified under CWE-1385. This flaw allows attacker-controlled websites to establish unauthorized WebSocket connections to the vulnerable IDE extensions when a user visits a malicious webpage. In VSCode and its forks, exploitation enables an attacker to read arbitrary files accessible to the IDE, enumerate open files, capture selection and diagnostic events, and under limited conditions—specifically when a user has an open Jupyter Notebook and accepts a malicious prompt—execute arbitrary code. For JetBrains IDEs, the attacker can obtain selection events, lists of open files, and syntax error information, which could aid further targeted attacks or information leakage. The vulnerability affects Claude Code for VSCode versions 0.2.116 through 1.0.23 and JetBrains plugin beta versions 0.1.1 through 0.1.8. Claude released patches on June 13, 2025, addressing the issue by implementing proper origin validation to prevent unauthorized WebSocket connections. The vulnerability has a CVSS 4.0 base score of 8.8, reflecting its high impact on confidentiality and integrity, with network attack vector, low attack complexity, and requiring user interaction (visiting a malicious webpage and potentially accepting a prompt). No known exploits are currently reported in the wild. Users must update or uninstall vulnerable versions and restart their IDEs to mitigate the risk.
Potential Impact
For European organizations, this vulnerability poses significant risks, especially for software development teams relying on the affected IDEs and Claude Code extensions. The ability for attackers to read arbitrary files and monitor IDE activities can lead to leakage of sensitive source code, intellectual property, and potentially credentials or configuration files stored or accessed within the IDE environment. The limited code execution capability in VSCode when Jupyter Notebooks are open further elevates the risk, potentially allowing attackers to execute malicious code within the developer's environment, leading to broader compromise. This can disrupt development workflows, cause data breaches, and facilitate supply chain attacks if compromised code is pushed to production. Given the widespread use of VSCode and JetBrains IDEs across European tech companies, research institutions, and government agencies, the vulnerability could impact a broad spectrum of sectors. The attack vector—via malicious webpages—means that phishing or drive-by attacks could be leveraged, increasing the threat surface. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate it, as public disclosure and patch availability may prompt attackers to develop exploits. Organizations with remote or hybrid workforces may be particularly vulnerable due to increased exposure to web-based threats.
Mitigation Recommendations
1. Immediate action should be to verify the versions of Claude Code extensions installed in all developer IDEs (VSCode, Cursor, Windsurf, VSCodium, IntelliJ, PyCharm, Android Studio). 2. Update the Claude Code for VSCode extension to version 1.0.24 or later and the JetBrains Claude Code [Beta] plugin to version 0.1.9 or later. If updates are not feasible immediately, uninstall the vulnerable extensions to eliminate exposure. 3. Restart the IDE after updating or uninstalling to ensure the patch takes effect. 4. Implement network-level controls to restrict outbound WebSocket connections from developer machines to untrusted domains, reducing the risk of unauthorized connections initiated by malicious webpages. 5. Educate developers about the risks of visiting untrusted websites while working in their IDEs, especially when using extensions that interact with external services. 6. Monitor IDE logs and network traffic for unusual WebSocket connections or file access patterns that could indicate exploitation attempts. 7. For organizations using Jupyter Notebooks within VSCode, enforce policies to avoid accepting prompts from untrusted sources and consider disabling notebook features if not required. 8. Incorporate vulnerability scanning and patch management processes specifically targeting development tools and their extensions to ensure timely updates in the future.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-06-20T17:42:25.708Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 685b087866faf0c1de3b0f81
Added to database: 6/24/2025, 8:20:08 PM
Last enriched: 6/24/2025, 8:34:22 PM
Last updated: 8/16/2025, 7:15:04 PM
Views: 52
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.