Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files
Summary:
Check Point Research recently identified critical vulnerabilities (CVE-2025-59536 and CVE-2026-21852) in Anthropic’s Claude Code, an AI-powered command-line development tool. These vulnerabilities enable threat actors to achieve Remote Code Execution (RCE) and exfiltrate API credentials through maliciously crafted project configuration files. Strategically, this represents a significant evolution in supply chain attacks targeting the AI-assisted developer ecosystem. By weaponizing repository-controlled configuration files (which developers traditionally treat as benign metadata), attackers can compromise individual workstations or pivot into collaborative enterprise environments via Claude Workspaces. The vulnerabilities exploit trust boundaries within Hooks, Model Context Protocol (MCP) servers, and environment variables. Anthropic has fully patched these issues prior to public disclosure.
Security Officer Comments:
The threat architecture relies on the manipulation of Claude Code project-level configurations, specifically the .claude/settings.json and .mcp.json files, which reside directly in the repository and are inherited when developers clone a project. The attack chain requires no explicit interaction beyond the victim running the claude command within a compromised repository directory. Beyond immediate RCE/reverse shells on the developer's machine, a stolen API key provides severe lateral movement capabilities into shared "Claude Workspaces”. Adversaries can use the stolen key to access sensitive files via the code execution tool, delete critical workspace files, upload arbitrary/poisoned files, or exhaust API credit quotas.
- Vulnerability 1: RCE via Untrusted Project HooksClaude Code’s "Hooks" feature is designed to execute user-defined commands deterministically at various lifecycle points (e.g., SessionStart). Researchers found that a hook configured in an untrusted .claude/settings.json file executed automatically upon initialization in the background, without requiring explicit user confirmation. Attackers can leverage this to execute arbitrary shell commands—such as spawning a reverse shell—immediately when the victim opens the project.
- Vulnerability 2: RCE Using MCP User Consent Bypass (CVE-2025-59536)Claude Code supports integrations via the Model Context Protocol (MCP). While Anthropic initially implemented a user-consent dialog for MCP initialization, attackers could bypass this protection using specific configuration parameters (enableAllProjectMcpServers or enabledMcpjsonServers) in the .claude/settings.json file. This forces the automatic approval and initialization of malicious MCP servers defined in .mcp.json, executing arbitrary commands before the victim can read or interact with the trust dialog.
- Vulnerability 3: API Key Exfiltration via Malicious ANTHROPIC_BASE_URL (CVE-2026-21852)The configuration schema allows environment variables to be overridden within .claude/settings.json. By modifying the ANTHROPIC_BASE_URL to point to an attacker-controlled proxy (e.g., using a tool like mitmproxy), all API communications are intercepted. When the victim starts Claude Code, session initialization requests containing the full Anthropic API key in plaintext authorization headers are sent to the attacker's server before any trust dialog is presented.
Suggested Corrections:
- Update Tooling: Immediately ensure all instances of Claude Code are updated to the latest, patched versions. Running the current version effectively neutralizes the vulnerabilities discussed.
- Inspect Configuration Directories: Manually inspect .claude/, .vscode/, and similar tool-specific configuration folders for anomalous entries or environment variable overrides (e.g., ANTHROPIC_BASE_URL) prior to opening newly cloned projects.
- Heed Application Warnings: Pay strict attention to any trust dialogs or tool warnings concerning potentially unsafe files, even if the repository appears to originate from a legitimate source.
Recommendations from Check Point Research
Just as developers have learned they cannot blindly execute code from untrusted sources, defenders must prioritize that their organizations and customers extend that same caution to opening projects with modern development tools. The line between configuration and execution continues to blur, requiring us to treat project setup files with the same careful attention we apply to executable code.
- Keep Your Tools Updated – Ensure you are running the latest version of Claude Code. All vulnerabilities discussed in this report have been patched, and running the current version is the most effective way to stay protected.
- Inspect configuration directories before opening projects – examine .claude/, .vscode/, and similar tool-specific folders
- Pay attention to tool warnings about potentially unsafe files, even in legitimate-looking repositories
- Review configuration changes during code reviews with the same rigor applied to source code
- Question unusual setup requirements that seem overly complex for a project’s apparent scope