Security Researchers Expose Critical Vulnerabilities in Anthropic's Claude Code Tool
Security experts have identified three significant security vulnerabilities in Claude Code, the command-line AI tool developed by Anthropic. These flaws could have permitted attackers to remotely execute code on a developer's computer or steal sensitive API keys, posing severe risks to software development environments.
Supply Chain Threats Amplified by AI Integration
According to a detailed report from Check Point, researchers discovered and reported all three vulnerabilities to Anthropic, which subsequently issued fixes and assigned CVEs for two of them. While Anthropic has addressed these security issues, the findings underscore a concerning supply chain threat as businesses increasingly integrate AI coding tools like Claude into their development workflows. This integration effectively transforms configuration files into a new attack surface, expanding the potential for exploitation.
The attack strategy reportedly leveraged a supply chain approach, where hackers could inject malicious configurations into public repositories. They would then wait for developers to clone and open the compromised projects. The ability to execute arbitrary commands through repository-controlled configuration files created severe supply chain risks, where a single malicious commit could compromise any developer working with the affected repository, as noted by Check Point researchers Aviv Donenfeld and Oded Vanunu in their report.
Design Flaws in Collaboration Features
The three security vulnerabilities are said to originate from the design of Anthropic Claude, which aims to facilitate collaboration among development teams. The AI coding tool achieves this by embedding project-level configuration files, specifically the .claude/settings.json file, directly within repositories. When a developer clones a project, these settings are automatically applied, mirroring those used by teammates. However, the report indicates that any contributor with commit access can modify these files, creating a vulnerability.
Researchers found that cloning and opening a malicious repository sometimes allowed them to bypass built-in safeguards, triggering hidden commands and executing malicious code without detection.
Abusing Hooks for Remote Code Execution
The first vulnerability involved the misuse of Claude's Hooks feature. Designed to run user-defined shell commands at specific points in the tool's lifecycle to automate routine tasks, Hooks are defined in the .claude/settings.json file. Since this file is part of the repository, an attacker with commit access could embed malicious shell commands into a project. When an unsuspecting developer opened the project, Claude would execute these commands automatically without seeking permission.
An attacker could configure the hook to execute any shell command—such as downloading and running a malicious payload, the researchers warned. They demonstrated this flaw by remotely launching a reverse shell on a victim's machine. Check Point reported this malicious hooks vulnerability to Anthropic on July 21, 2025, and the AI company implemented the final fix approximately a month later, publishing a GitHub Security Advisory (GHSA-ph6w-f82w-28w6) on August 29.
MCP Consent Bypass Bug Enables RCE
The second vulnerability enabled Remote Code Execution by circumventing the Model Context Protocol safety prompts. Although Anthropic had implemented warnings requiring user approval before running external MCP servers, researchers discovered a workaround. By manipulating two specific repository-controlled settings, the team overrode these safeguards, causing malicious commands to execute immediately upon launching Claude—before the user could even view a trust dialog. This bypass, identified as CVE-2025-59536, essentially rendered the tool's security prompts ineffective against a crafted repository.
Redirecting Traffic to Steal API Keys
The final vulnerability targeted developer credentials. Researchers found they could manipulate the ANTHROPIC_BASE_URL variable within a project's configuration. Attackers can exploit this flaw for API key theft by redirecting this endpoint to an attacker-controlled server. This exposes all of Claude's API traffic, including the plaintext authorization header containing the user's API key.
The researchers configured ANTHROPIC_BASE_URL to route through their local proxy and monitored all Claude Code's API traffic in real time. Every call to Anthropic servers included the authorization header—our full Anthropic API key, completely exposed in plaintext, they wrote. An attacker could abuse this technique to redirect traffic and steal a developer's active API key. This is particularly critical because the API includes a feature called Workspaces, which helps developers manage multiple Claude deployments by allowing multiple API keys to share access to the same cloud-based project files. Files are connected to the workspace, not a single key, and any API key belonging to the workspace also has visibility into any of the workspace's stored files.
