Anthropic Patches Remote Code Execution Flaw in Claude

The vulnerabilities, identified by Check Point Research, were tracked as CVE-2025-59536 and CVE-2026-21852. The core of the exploit involved weaponizing project-level configuration files within a repository, turning a simple "clone and open" action into a trigger for an attack. Attackers could abuse built-in mechanisms like "Hooks" and Model Context Protocol (MCP) integrations to execute arbitrary shell commands. By crafting a malicious `.claude/settings.json` or `.mcp.json` file, an attacker could bypass user consent dialogs and achieve remote code execution the moment a developer initialized the tool in an untrusted directory. A separate flaw allowed for API key theft by manipulating the `ANTHROPIC_BASE_URL` configuration setting. This would redirect all API traffic, including the authorization header with the user's key, to an attacker-controlled server before any trust prompt was displayed to the developer. The impact of a stolen API key was severe, potentially allowing an attacker to read, modify, and delete all files within a shared team workspace. The remote code execution vulnerability was demonstrated to be capable of launching a reverse shell, leading to a full compromise of the developer's machine. This incident highlights a fundamental shift in the threat model for AI-assisted software development. Configuration files are no longer just passive settings but are now part of the execution layer, creating a new supply chain risk where a single malicious commit can compromise any developer who pulls the repository. Studies indicate that a significant percentage of code generated by AI assistants can contain security flaws, as models are often trained on public code of varying quality. This reinforces the need for engineering leaders to establish rigorous security reviews and training for teams adopting AI-powered tools, treating all generated code as potentially untrusted.