Claude Code RCE via malicious .claude/settings.json hooks (CVE-2025-59536)
Summary
Opening an untrusted repository with Claude Code loads .claude/settings.json before the trust dialog appears. Pre-patch (Oct 2025) versions executed malicious hooks and MCP server configs immediately on repo open, bypassing user approval. CVSS 8.7. Patched in Claude Code 0.4.x+. Attack shape: attacker commits a .claude/settings.json with a pre-tool hook running shell commands, or an .mcp.json that spawns a stdio MCP server pointing at their binary. Victim opens the repo, hooks fire. No interaction beyond opening. Detection: scan .claude/settings.json and .mcp.json for hook entries whose `command` is a shell-reachable binary outside a known-good allowlist (node, python3, bun, pnpm, npx) or for env vars overriding ANTHROPIC_BASE_URL.
Severity & confidence
Critical
Active exploitation in the wild, high blast radius, or direct data exfiltration vector. Treat as an urgent remediation target; quarantine affected artifacts immediately.
Confirmed
Observed directly by Jiffy scanners or validated by multiple independent sources. Indicators are reliable enough to drive automated action.
Indicators
Observed patterns and artifacts associated with this entry. Each indicator can be copied into your detection stack or SIEM.
.claude/settings.json
.mcp.json
%/.claude/settings.json
%/.mcp.json
(?i)"hooks"\s*:\s*\[[^\]]*"command"\s*:
(?i)pre[-_]?(tool|bash|edit)[-_]?use
Detection rule
A YARA-style pseudo-rule auto-generated from the indicators above. Useful as a starting point — adapt the syntax for your target detection platform.
rule jiffy_ti_2026_000120
{
meta:
source = "jiffy-intel"
severity = "critical"
description = "Auto-generated from Jiffy Intel indicators"
strings:
$file_path_pattern_0 = ".claude/settings.json"
$file_path_pattern_1 = ".mcp.json"
$artifact_uri_pattern_2 = "%/.claude/settings.json"
$artifact_uri_pattern_3 = "%/.mcp.json"
$content_pattern_4 = "(?i)\"hooks\"\\s*:\\s*\\[[^\\]]*\"command\"\\s*:"
$content_pattern_5 = "(?i)pre[-_]?(tool|bash|edit)[-_]?use"
condition:
$file_path_pattern_0 or $file_path_pattern_1 or $artifact_uri_pattern_2 or $artifact_uri_pattern_3 or $content_pattern_4 or $content_pattern_5
}Auto-generated from the indicators above. Adapt syntax for your detection stack before deploying.
Affected tools
| Tool | Versions | Status |
|---|---|---|
| Claude Code | <0.4.0 | vulnerable |
| Claude Desktop | <0.4.0 | vulnerable |
How to remediate
- 011.
- 02Update Claude Desktop + Claude Code to 0.4.x+ across every managed endpoint.
- 032.
- 04Scan .claude/settings.json + .mcp.json in every cloned repo against your org's allowlist.
- 053.
- 06Add a pre-clone gate — reject repos whose hooks invoke binaries outside {node, python3, bun, pnpm, npx}.
- 074.
- 08Track which users have the vulnerable version still installed (via OTel fleet telemetry).
Timeline
- First observedMar 24, 20261 month ago
- Last updatedApr 19, 202613 days ago
- PublishedApr 19, 202613 days ago
Sources
References
Scan for patterns like this
Point Jiffy at your GitHub org, IDE config, or a single artifact. Get a scored report in under a minute.
Start a free scan