Claude Code Has Sandbox Escape via Persistent Configuration Injection in settings.json

Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.

N/A

违背信任边界

Claude Code 安全漏洞

Claude Code是Anthropic开源的一个终端原生AI编程工具。 Claude Code 2.1.2之前版本存在安全漏洞，该漏洞源于bubblewrap沙盒机制在启动时若.claude/settings.json文件不存在则未能妥善保护该文件，可能导致恶意代码创建该文件并注入持久化钩子。

N/A

N/A