Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852

Check Point Research discovered critical vulnerabilities (CVE-2025-59536, CVE-2026-21852) in Anthropic's Claude Code that enable remote code execution and API credential theft. The flaws exploit project configuration mechanisms including Hooks, Model Context Protocol (MCP) servers, and environment variables within the .claude/settings.json file. Attackers can inject malicious configurations into repositories, triggering arbitrary shell command execution and exfiltrating Anthropic API keys when developers clone and open untrusted projects. This supply chain risk affects developers using AI-powered coding tools, as configuration files are shared across teams for collaboration. Check Point collaborated with Anthropic to remediate all vulnerabilities prior to public disclosure. Organizations should exercise caution when cloning repositories from untrusted sources and implement verification processes for project configurations.

By Aviv Donenfeld and Oded Vanunu Executive Summary Check Point Research has discovered critical vulnerabilities in Anthropic’s Claude Code that allow attackers to achieve remote code execution and steal API credentials through malicious project configurations. The vulnerabilities exploit various configuration mechanisms including Hooks, Model Context Protocol (MCP) servers, and environment variables -executing arbitrary shell commands […] The post Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852<other cve="" id="" tbd=""></other> appeared first on Check Point Research .

Check Point Research discovered critical vulnerabilities (CVE-2025-59536, CVE-2026-21852) in Anthropic's Claude Code that enable remote code execution and API credential theft. The flaws exploit project configuration mechanisms including Hooks, Model Context Protocol (MCP) servers, and environment variables within the .claude/settings.json file. Attackers can inject malicious configurations into repositories, triggering arbitrary shell command execution and exfiltrating Anthropic API keys when developers clone and open untrusted projects. This supply chain risk affects developers using AI-powered coding tools, as configuration files are shared across teams for collaboration. Check Point collaborated with Anthropic to remediate all vulnerabilities prior to public disclosure. Organizations should exercise caution when cloning repositories from untrusted sources and implement verification processes for project configurations. By Aviv Donenfeld and Oded Vanunu Executive Summary Check Point Research has discovered critical vulnerabilities in Anthropic’s Claude Code that allow attackers to achieve remote code execution and steal API credentials through malicious project configurations. The vulnerabilities exploit various configuration mechanisms including Hooks, Model Context Protocol (MCP) servers, and environment variables -executing arbitrary shell commands […] The post Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852<other cve="" id="" tbd=""></other> appeared first on Check Point Research . By Aviv Donenfeld and Oded Vanunu Executive Summary Check Point Research has discovered critical vulnerabilities in Anthropic’s Claude Code that allow attackers to achieve remote code execution and steal API credentials through malicious project configurations. The vulnerabilities exploit various configuration mechanisms including Hooks , Model Context Protocol (MCP) servers, and environment variables -executing arbitrary shell commands and exfiltrating Anthropic API keys when users clone and open untrusted repositories. Following our disclosure, Check Point Research collaborated closely with the Anthropic security team to ensure these vulnerabilities were fully remediated. All reported issues have been successfully patched prior to this publication. Background As AI-powered development tools rapidly integrate into software workflows, they introduce novel attack surfaces that traditional security models haven’t fully addressed. These platforms combine the convenience of automated code generation with the risks of executing AI-generated commands and sharing project configurations across collaborative environments. Claude Code, Anthropic’s AI-powered command-line development tool, represents a significant target in this landscape. As a leading agentic tool within the developer ecosystem, its adoption by technology professionals and integration into enterprise workflows means that the platform’s security model directly impacts a substantial portion of the AI-assisted development landscape. Claude Code Platform Claude Code enables developers to delegate coding tasks directly from their terminal through natural language instructions. The platform supports comprehensive development operations including file modifications, Git repository management, automated testing, build system integration, Model Context Protocol (MCP) tool connections, and shell command execution. Vibe-coding an awesome project using Claude Code Configuration Files as Attack Surface While analyzing Claude Code’s architecture, we examined how the platform manages its configurations. Claude Code supports project-level configurations through a .claude/settings.json file that lives directly in the repository. This design makes sense for team collaboration – when developers clone a project, they automatically inherit the same Claude Code settings their teammates use, ensuring consistent behavior across the team. Since .claude/settings.json is just another file in the repository, any contributor with commit access can modify it. This creates a potential attack vector: malicious configurations could be injected into repositories, possibly triggering actions that users don’t expect and may not even be aware are occurring. We set out to investigate what these repository-controlled configurations could actually do, and whether they could be leveraged to compromise developers working with affected codebases. Vulnerability #1: RCE via Untrusted Project Hooks During our research into Claude Code’s configuration documentation, we encountered Anthropic’s recently released Hooks feature. Hooks are designed to provide deterministic control over Claude Code’s behavior by executing user-defined commands at various points in the tool’s lifecycle. Unlike relying on the AI model to choose when to perform certain actions, Hooks ensure that specific operations always execute when predetermined conditions are...