Anthropics claude-code is an agentic coding tool that, prior to version 2.1.53, determined its permission mode based on settings files, including the repository-controlled .claude/settings.json. This design flaw allowed a malicious repository to manipulate the permissions.defaultMode setting by setting it to bypassPermissions. When this occurs, the tool skips the workspace trust confirmation dialog that normally prompts users to confirm trust before enabling permissive execution modes. As a result, users opening such a repository would unknowingly enter a permissive mode, enabling the repository to execute potentially malicious code without explicit user approval. This vulnerability is classified under CWE-807, which involves reliance on untrusted inputs in security decisions. The CVSS 4.0 score of 7.7 reflects a high severity due to network attack vector, low attack complexity, partial attack and user interaction required, and high impact on confidentiality, integrity, and availability. The issue was addressed and patched in claude-code version 2.1.53 by removing reliance on untrusted repository-controlled settings for permission decisions.

The vulnerability allows attacker-controlled repositories to bypass the workspace trust confirmation dialog, leading to silent elevation of permissions and enabling execution of potentially malicious code within the claude-code environment. This can compromise confidentiality, integrity, and availability of user projects and systems where claude-code is used. Organizations relying on claude-code for coding automation or agentic tasks risk unauthorized code execution, data leakage, or system compromise. Since the attack requires user interaction (opening a malicious repository), social engineering or supply chain attack vectors are likely. The scope includes all users running vulnerable versions (<2.1.53) who open attacker-controlled repositories. The absence of explicit user consent increases the risk of unnoticed compromise, which can facilitate further lateral movement or persistent threats within development environments.

1. Upgrade anthropics claude-code to version 2.1.53 or later immediately to apply the patch that removes reliance on untrusted repository-controlled settings for permission decisions. 2. Implement strict repository vetting and code review policies to prevent malicious repositories from being introduced into development workflows. 3. Educate users about the risks of opening untrusted repositories and encourage verification of repository sources before use. 4. Employ endpoint security solutions that monitor and restrict unauthorized code execution within development environments. 5. Consider isolating development environments or using sandboxing techniques to limit the impact of potential malicious code execution. 6. Monitor logs and alerts for unusual activity related to claude-code usage, especially around permission changes or unexpected executions.