The Call is Coming from Inside the Sandbox: Escaping Claude Code via Ghost Configs

Vulnerability ID: CVE-2026-25725
CVSS Score: 7.7
Published: 2026-02-06

A logic flaw in Anthropic's Claude Code tool allowed sandboxed AI agents to write persistent configuration files to the host system. By exploiting a missing file check during the sandbox initialization, malicious code could inject a 'SessionStart' hook, leading to arbitrary code execution on the host machine with full user privileges upon the next session startup.

TL;DR

Claude Code failed to lock down the .claude/settings.json file if it didn't exist at startup. Sandboxed agents could create this file, inject a malicious 'SessionStart' hook, and achieve full host RCE when the developer restarted the tool.

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-501 (Trust Boundary Violation)
• Attack Vector: Network / Local (via Repository)
• CVSS v4.0: 7.7 (High)
• Impact: Sandbox Escape / Host RCE
• Exploit Status: PoC Constructed
• Component: Sandbox / Configuration Loader

Affected Systems

• Claude Code CLI tool
• Developer Workstations (Linux, macOS, WSL)
• Claude Code: < 2.1.2 (Fixed in: 2.1.2)

Mitigation Strategies

• Enforce strict read-only binds for configuration paths regardless of file existence.
• Validate configuration files for malicious hooks before execution.
• Restrict sandbox write permissions to specific subdirectories rather than the project root.

Remediation Steps:

1. Upgrade Claude Code to version 2.1.2 or later.
2. Check existing projects for unexpected .claude/settings.json files.
3. Inspect any defined 'hooks' in local configuration files.

References

• GHSA-ff64-7w26-62rf
• Claude Code Hooks Documentation

Read the full report for CVE-2026-25725 on our website for more details including interactive diagrams and full exploit analysis.