Description
Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_confirm
https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf
Scores
CVSS v3
10.0
EPSS
0.0042
EPSS Percentile
33.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-668
CWE-501
Status
published
Products (2)
anthropic/claude_code
< 2.1.2
anthropic-ai/claude-code
0 - 2.1.2npm
Published
Feb 06, 2026
Tracked Since
Feb 18, 2026