CVE-2026-25725 is a vulnerability classified under CWE-501 (Trust Boundary Violation) and CWE-668 (Exposure of Resource to Wrong Sphere) affecting anthropics' Claude Code, an agentic coding tool. The vulnerability stems from a flaw in the bubblewrap sandboxing mechanism used by Claude Code prior to version 2.1.2. Specifically, the sandbox failed to protect the .claude/settings.json configuration file if it did not exist at startup. Although the parent directory was mounted as writable and the .claude/settings.local.json file was explicitly set as read-only, the absence of settings.json allowed malicious sandboxed code to create this file. By doing so, an attacker could inject persistent hooks, such as SessionStart commands, which execute with host-level privileges when Claude Code restarts. This effectively allows sandbox escape and privilege escalation without requiring prior authentication, though user interaction is necessary to trigger the restart. The vulnerability has a CVSS 4.0 base score of 7.7, reflecting its network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild as of the publication date. The issue was addressed in version 2.1.2 by ensuring proper protection of the settings.json file regardless of its existence at startup, closing the trust boundary gap. This vulnerability highlights the critical importance of comprehensive sandboxing and file system protections in agentic tools that execute code with elevated privileges.

For European organizations, the impact of CVE-2026-25725 can be significant, especially for those relying on Claude Code for automated or agentic coding tasks. Successful exploitation allows attackers to escalate privileges from a sandboxed environment to the host system, potentially leading to unauthorized code execution with elevated rights. This could compromise sensitive intellectual property, source code integrity, and system availability. The persistence mechanism via configuration file manipulation means attackers could maintain long-term footholds, complicating incident response. Organizations in sectors with high reliance on software development automation, such as finance, telecommunications, and critical infrastructure, face increased risks. Additionally, the vulnerability could be leveraged in supply chain attacks or insider threat scenarios. Given the network attack vector and low complexity, attackers could exploit this vulnerability remotely if user interaction occurs, increasing the threat surface. The absence of known exploits currently provides a window for proactive mitigation, but the high severity demands urgent attention.

European organizations should immediately upgrade Claude Code to version 2.1.2 or later to apply the official patch that properly secures the settings.json file. Until patching is complete, implement strict file system monitoring on the .claude directory to detect unauthorized creation or modification of settings.json and related configuration files. Employ host-based intrusion detection systems (HIDS) to alert on suspicious file changes and process executions linked to Claude Code. Restrict write permissions on the parent directory and configuration files to the minimum necessary users and processes. Consider running Claude Code within additional containment layers such as virtual machines or hardened containers to limit host impact if sandbox escape occurs. Educate users about the risks of restarting the application after suspicious activity and enforce policies to validate code and scripts executed within Claude Code. Finally, integrate vulnerability scanning and software composition analysis into the development pipeline to detect outdated versions proactively.