Claude Code 2.1.2: Bubblewrap Sandbox Missing settings.json Exploit
CVE-2026-25725 Published on February 6, 2026

Claude Code Has Sandbox Escape via Persistent Configuration Injection in settings.json
Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.

NVD

Weakness Types

Trust Boundary Violation

The product mixes trusted and untrusted data in the same data structure or structured message. A trust boundary can be thought of as line drawn through a program. On one side of the line, data is untrusted. On the other side of the line, data is assumed to be trustworthy. The purpose of validation logic is to allow data to safely cross the trust boundary - to move from untrusted to trusted. A trust boundary violation occurs when a program blurs the line between what is trusted and what is untrusted. By combining trusted and untrusted data in the same data structure, it becomes easier for programmers to mistakenly trust unvalidated data.

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.


Products Associated with CVE-2026-25725

Want to know whenever a new CVE is published for Anthropic Claude Code? stack.watch will email you.

Anthropic Claude Code
 

Affected Versions

anthropics claude-code Version < 2.1.2 is affected by CVE-2026-25725

Exploit Probability

EPSS
0.06%
Percentile
17.36%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.