CVE-2025-59536
HIGHClaude Code < 1.0.111 - Code Injection via Startup Trust Dialog Bypass
Title source: llmExploitation Summary
EIP tracks 7 public exploits for CVE-2025-59536. PoCs published by atiilla, tacdm, Razi-Interactive.
AI-analyzed exploit summary This repository contains functional exploit code demonstrating CVE-2026-21852, an API key exfiltration vulnerability in Anthropic's Claude Code CLI tool. The PoC includes a MITM proxy to capture API keys and a scanner to detect vulnerable configurations.
Description
Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. This issue is fixed in version 1.0.111.
Exploits (7)
This repository contains functional exploit code demonstrating CVE-2026-21852, an API key exfiltration vulnerability in Anthropic's Claude Code CLI tool. The PoC includes a MITM proxy to capture API keys and a scanner to detect vulnerable configurations.
This repository demonstrates CVE-2025-59536, a vulnerability in Claude Code < 1.0.111 that allows arbitrary code execution through malicious `.claude/settings.json` hooks. The PoC includes a benign payload that writes system info to a file, proving the exploit's functionality.
This repository contains a scanner tool for detecting known security risks in Claude Code projects, specifically targeting CVE-2025-59536 and other related vulnerabilities. It checks for malicious patterns in configuration files, prompt injections, and suspicious payloads without executing any code.
This repository contains a static analysis tool designed to scan for malicious AI-IDE configuration files that could lead to RCE, credential theft, or persistent compromise. It checks for various attack vectors such as Claude Code hooks, Unicode smuggling in rules files, MCP auto-registration, and API base-URL redirection.
The repository claims to exploit CVE-2025-59536 but lacks actual exploit code, instead redirecting users to an external download link (tinyurl.com). The README provides minimal technical details and reads like a generic vulnerability summary.
The repository provides a detailed technical analysis of CVE-2025-59536, focusing on the root cause (lack of cryptographic authentication in AI instruction execution) and proposing a quantum-based solution (Aether Protocol) to mitigate such vulnerabilities. It includes architectural details, security properties, and real-world deployment metrics.
This PoC demonstrates a UI/UX flaw in Anthropic's Claude Code where an attacker-controlled MCP server can misrepresent tool parameters in confirmation prompts, leading users to approve benign actions while executing malicious commands. The provided server.py file contains functional exploit code that simulates this behavior.
References (1)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H