CVE-2025-59536 is a critical code injection vulnerability classified under CWE-94 affecting anthropics Claude Code, an agentic coding tool used for automated code generation and development workflows. The vulnerability stems from a flaw in the startup trust dialog implementation prior to version 1.0.111. Specifically, Claude Code fails to properly control the execution of code contained within a project directory before the user has accepted the startup trust dialog prompt. This means that if a user opens Claude Code in an untrusted or maliciously crafted directory, arbitrary code embedded in that directory can be executed automatically without explicit user consent. The vulnerability requires no privileges or authentication but does require user interaction in the form of opening the project directory in Claude Code. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H) indicates network attack vector, low attack complexity, no privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability. This could allow attackers to execute arbitrary code remotely, potentially leading to full system compromise, data theft, or disruption of development environments. The issue has been patched in version 1.0.111, and users relying on the standard auto-update mechanism have already received the fix. Manual update users must upgrade promptly. No known exploits have been reported in the wild as of the publication date. The vulnerability highlights the risks of insufficient trust validation in developer tools that execute code automatically, emphasizing the need for secure startup workflows and user consent mechanisms.

For European organizations, the impact of CVE-2025-59536 can be significant, especially for those relying on Claude Code in software development, automation, or continuous integration pipelines. Successful exploitation could lead to arbitrary code execution within developer environments, compromising source code integrity, leaking sensitive intellectual property, or enabling lateral movement within corporate networks. This could disrupt development operations, cause data breaches, or introduce malicious code into production software. The high CVSS score reflects the potential for widespread damage due to the tool’s role in code generation and execution. Organizations with less mature security practices around workspace trust or those that allow developers to open untrusted directories are at higher risk. Additionally, supply chain risks arise if compromised developer environments propagate malicious code downstream. The lack of required privileges for exploitation lowers the barrier for attackers, increasing the threat surface. Although no active exploits are known, the vulnerability’s characteristics make it a prime target for attackers seeking to infiltrate development environments.

1. Immediately update all instances of anthropics Claude Code to version 1.0.111 or later to ensure the vulnerability is patched. 2. Disable or restrict the ability to open projects from untrusted directories, enforcing strict workspace trust policies within development teams. 3. Educate developers and users about the risks of opening untrusted project directories and the importance of verifying project sources before loading. 4. Implement endpoint security controls that monitor and restrict unauthorized code execution within developer environments. 5. Integrate runtime application self-protection (RASP) or behavior monitoring to detect anomalous code execution patterns originating from Claude Code processes. 6. Review and harden CI/CD pipelines to prevent injection of malicious code from compromised developer workstations. 7. For organizations performing manual updates, establish automated patch management processes to reduce update delays. 8. Conduct regular security audits of developer tools and their configurations to identify and remediate trust-related vulnerabilities. 9. Consider network segmentation to isolate development environments from critical production systems to limit lateral movement in case of compromise.