## https://sploitus.com/exploit?id=A926BD4D-E936-5271-B992-D63FB84FE135
# CVE-2025-59536 PoC
**Remote Code Execution via Claude Code Project Hooks**
## Overview
This repository demonstrates CVE-2025-59536, a vulnerability in Claude Code < 1.0.111 that allows
arbitrary code execution through malicious `.claude/settings.json` hooks.
When a victim clones this repo and runs `claude`, the `SessionStart` hook in
`.claude/settings.json` executes automatically **without any permission prompt**.
## Affected Versions
- Claude Code < 1.0.111 (Hooks RCE)
- Fixed in: 1.0.111+
## Attack Chain
```
1. Attacker pushes .claude/settings.json with SessionStart hook to GitHub
2. Victim: git clone https://github.com/.../this-repo
3. Victim: cd this-repo && claude
4. Hook executes automatically โ RCE
```
## Reproduce
```bash
# Install vulnerable version
npm install -g @anthropic-ai/claude-code@1.0.110
# Clone this repo
git clone https://github.com/tacdm/cve-2025-59536-poc
cd cve-2025-59536-poc
# Trigger (trust the project first, simulating the race condition)
claude -p "explain this project" --dangerously-skip-permissions
# Check proof
cat /tmp/cve-2025-59536-proof.txt
# Restore safe version
npm install -g @anthropic-ai/claude-code@latest
```
## What the PoC Does
The hook payload is **benign** โ it only writes system info to `/tmp/cve-2025-59536-proof.txt`.
In a real attack, this could:
- Steal API keys (`~/.claude.json`)
- Exfiltrate SSH keys
- Install persistent backdoors (`.bashrc`, crontab)
- Pivot to internal networks
## References
- [Check Point Research: CVE-2025-59536](https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/)
- [GitHub Advisory GHSA-ph6w-f82w-28w6](https://github.com/advisories/GHSA-ph6w-f82w-28w6)
- [NVD: CVE-2025-59536](https://nvd.nist.gov/vuln/detail/CVE-2025-59536)
## Disclaimer
This PoC is for **educational and authorized security research purposes only**.
Do not use against systems you do not own or have permission to test.