Threat Advisory

Claude Code Vulnerabilities Lead to Command Injection and Sandbox Escapes

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High


EXECUTIVE SUMMARY:

A series of vulnerabilities in the Claude Code agentic coding tool allow untrusted or malicious input to undermine core security assumptions in the tool’s local execution environment. Multiple command‑injection and escape flaws can be leveraged to bypass sandbox protections and write restrictions: attackers who can inject untrusted content into a Claude Code context window may navigate into sensitive directories and bypass write protections to create or modify files, and improper validation of piped command can be used to evade file write restrictions and alter sensitive locations outside the intended project scope. Additionally, weaknesses in permission denial enforcement via symbolic links permit access to restricted files despite deny rules. Together these issues enable unauthorized modifications to local files and persistent configuration manipulation, posing a risk of unintended code execution and privilege escalation on systems where Claude Code is used without proper mitigation. Users should update to patched releases that correct directory validation, command validation, sandbox isolation, and symbolic link handling to mitigate these threats.

  • CVE-2026-25722: It is a directory traversal and command injection issue in Claude Code that allows bypassing write protections to modify files. An attacker can insert untrusted content to navigate into sensitive directories and perform unauthorized changes. The vulnerability has a CVSS score of 7.7.
  • CVE-2026-25723: It is a command injection flaw in Claude Code where improper validation of piped sed commands allowed attackers to bypass file write restrictions and modify files outside intended limits. Successful exploitation requires the ability to execute commands via Claude Code’s accept edits feature, enabling writes to unintended locations. The vulnerability has a CVSS score of 7.7.
  • CVE‑2026‑25724: It is a symbolic link permission deny bypass in Claude Code where deny rules aren’t strictly enforced when following symlinks, allowing unintended file access.  This flaw can be leveraged to read restricted files through linked paths despite configuration deny rules. The vulnerability has a CVSS score of 2.3.
  • CVE‑2026‑25725: It is a sandbox escape in Claude Code allows creation of configuration files when missing, letting malicious code persist hooks. Untrusted code can bypass sandbox protections and execute actions on the host with elevated privileges. The vulnerability has a CVSS score of 7.7.

 

RECOMMENDATION:

We strongly recommend you update Claude Code to below version:

  • 2.0.57 or later.
  • 2.0.55 or later.
  • 2.1.7 or later.
  • 2.1.2 or later.

 

REFERENCES:

The following reports contain further technical details:

https://github.com/advisories/GHSA-66q4-vfjg-2qhh

https://github.com/advisories/GHSA-mhg7-666j-cqg4

https://github.com/advisories/GHSA-4q92-rfm6-2cqx

https://github.com/advisories/GHSA-ff64-7w26-62rf

 

crossmenu