CVE-2025-59041 is a high-severity code injection vulnerability (CWE-94) affecting the anthropics claude-code agentic coding tool in versions prior to 1.0.105. Claude Code executes a command at startup that incorporates the output of `git config user.email` into a command template. If an attacker can maliciously configure the git user email, they can inject arbitrary code that will be executed before the user has accepted the workspace trust dialog. This means that code execution can occur without explicit user consent or interaction beyond opening the workspace, posing a significant risk. The vulnerability arises from improper control over code generation, allowing untrusted input (the git user email) to be executed as code. The CVSS 4.0 score is 8.7, reflecting a high impact on confidentiality, integrity, and availability, with no privileges or authentication required, and only user interaction being the acceptance of a workspace that is not yet trusted. Although no known exploits are currently reported in the wild, the vulnerability is critical enough that users on standard auto-update channels have already received the fix in version 1.0.105, and manual updates are strongly recommended. This vulnerability could be exploited by attackers who can influence the git configuration on a target machine, such as through compromised repositories or insider threats, leading to arbitrary code execution in the context of the user running Claude Code.

For European organizations, this vulnerability poses a serious risk, especially for software development teams and DevOps environments that use Claude Code for coding assistance. Successful exploitation could lead to arbitrary code execution, enabling attackers to steal sensitive intellectual property, inject malicious code into software projects, or disrupt development workflows. The early execution before workspace trust acceptance means that standard security prompts may not prevent exploitation, increasing the risk of undetected compromise. Organizations handling sensitive data or critical infrastructure software development could face confidentiality breaches, integrity violations of codebases, and potential availability issues if attackers deploy ransomware or destructive payloads. The risk is amplified in collaborative environments where git repositories are shared, as malicious git user email configurations could be propagated. Additionally, the vulnerability could be leveraged for lateral movement within networks if attackers gain initial access to a developer's machine.

European organizations should ensure that all installations of anthropics claude-code are updated to version 1.0.105 or later immediately. For environments where manual updates are performed, establish strict patch management policies to verify the version in use. Implement controls to restrict who can modify git configurations, especially the user.email field, to prevent malicious injection. Use endpoint protection solutions that can detect and block suspicious command executions triggered by development tools. Educate developers about the risks of opening untrusted workspaces and encourage the use of workspace trust features. Consider isolating development environments or using containerized setups to limit the impact of potential code execution. Regularly audit git configurations across developer machines to detect anomalies. Finally, monitor for unusual process executions or network activity originating from developer tools to identify potential exploitation attempts early.