CVE-2025-59536 is a high-severity code injection vulnerability affecting versions of the Anthropics Claude Code agentic coding tool prior to 1.0.111. The root cause lies in improper control of code generation (CWE-94) due to a bug in the startup trust dialog implementation. Specifically, Claude Code could be tricked into executing malicious code embedded within a project directory before the user had accepted the startup trust dialog prompt. This premature execution occurs when a user launches Claude Code in an untrusted directory, allowing an attacker to inject and run arbitrary code without prior user consent. The vulnerability does not require any privileges or authentication but does require user interaction in the form of starting the application in a malicious directory. The flaw was addressed in version 1.0.111, and users who rely on the standard auto-update mechanism have already received the fix. Manual updaters are advised to upgrade promptly. The CVSS 4.0 base score of 8.7 reflects the network attack vector, low attack complexity, no privileges required, but user interaction needed, and high impact on confidentiality, integrity, and availability. No known exploits are currently observed in the wild, but the potential for impactful exploitation remains significant given the ability to execute arbitrary code remotely via crafted project directories.

For European organizations, this vulnerability poses a substantial risk, especially for software development teams and enterprises leveraging Claude Code for coding automation or agentic coding workflows. Successful exploitation could lead to arbitrary code execution, enabling attackers to compromise development environments, steal intellectual property, inject malicious code into software projects, or disrupt software delivery pipelines. This could result in data breaches, supply chain compromises, and operational downtime. Given the high impact on confidentiality, integrity, and availability, organizations could face regulatory repercussions under GDPR if sensitive data is exposed or manipulated. The requirement for user interaction (launching the tool in a malicious directory) means social engineering or insider threats could facilitate exploitation. The lack of privilege requirements broadens the attack surface, making it easier for attackers to target less privileged users. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities rapidly once disclosed.

European organizations should ensure all instances of Claude Code are updated to version 1.0.111 or later immediately. For users relying on manual updates, a thorough inventory of installed versions should be conducted to identify and remediate outdated installations. Additionally, organizations should implement strict controls on directory permissions and restrict execution of software in untrusted or user-writable directories to reduce the risk of launching Claude Code in malicious project folders. Security awareness training should emphasize the risks of opening software in untrusted directories and encourage vigilance against social engineering attempts. Endpoint protection solutions should be configured to monitor and block suspicious code execution originating from user directories. Incorporating application whitelisting and sandboxing techniques can further limit the impact of potential exploitation. Finally, organizations should monitor threat intelligence feeds for any emerging exploits related to this CVE and prepare incident response plans accordingly.