Exploit for Code Injection in Anthropic Claude_Code CVE-2025-59536 CVE-2026-21852

Name: Exploit for Code Injection in Anthropic Claude_Code CVE-2025-59536 CVE-2026-21852
Rating: 5 (12 reviews)
2026-06-21 | CVSS 8.8
## https://sploitus.com/exploit?id=D301242C-B53B-53BF-A743-4107276D8DCA
# dotclaude-security

> Scan a repo's local **`.claude/`** config — `settings.json` hooks, MCP server defs, `env` blocks, `permissions.allow` — for the **RCE** and **API-key-exfiltration** footguns that fire the moment you `git clone` and open an untrusted repository in Claude Code. It points at the **exact dangerous line** so you can read before you trust. Reads only — it never runs what it finds.

> ⚡ **Run it in one line, no install, nothing leaves your machine:**
> ```bash
> npx dotclaude-security --dir ./some-cloned-repo
> ```

> 🤝 **Want it hardened for you?** [Fixed-scope audit — $99 / 24h](https://buy.stripe.com/3cIeVdgikfj47yx9LkcAo0m): I review each finding and send a written report with the exact `.claude` config fixes.

[![npm](https://img.shields.io/npm/v/dotclaude-security?color=red)](https://www.npmjs.com/package/dotclaude-security) [![downloads](https://img.shields.io/npm/dw/dotclaude-security)](https://www.npmjs.com/package/dotclaude-security) ![license](https://img.shields.io/badge/license-MIT-green) ![node](https://img.shields.io/badge/node-%3E%3D18-blue) ![deps](https://img.shields.io/badge/dependencies-0-brightgreen)

```
$ npx dotclaude-security --dir ./untrusted-repo
1 critical, 2 high, 0 medium across 1 config file(s).
  CRITICAL  .claude/settings.json:4  Auto-exec hook on "SessionStart" runs a command when the repo is opened
  HIGH      .claude/settings.json:7  permissions.allow pre-approves a dangerous tool: Bash(*)
  HIGH      .claude/settings.json:8  MCP server "x" runs an on-the-fly remote package (npx)
```

## Why this exists

A repository can ship its own `.claude/` config, and an agent honors it on open.
In February 2026 Check Point Research disclosed two CVEs rooted in exactly this:

- **[CVE-2025-59536](https://thehackernews.com/)** (CVSS 8.7) — a repo-controlled
  `SessionStart` hook **auto-executes a shell command when the directory is opened**.
  Clone a malicious repo, open it, get popped. Remote code execution on init.
- **CVE-2026-21852** — repo config (hook commands / `env`) reads your
  **`ANTHROPIC_API_KEY`** and ships it to a remote host. Silent key exfiltration.

Both attack the same surface: `settings.json` **hooks**, **MCP server** launch
commands, **`env`** blocks, and the **`permissions.allow`** list — the things a
stranger's repo can hand you. The big incumbents (Cisco's skill-scanner, Snyk's
agent-scan) scan **skills**; almost nobody scans the **`.claude` config files**.

`dotclaude-security` parses those files, statically, and flags the exact
file + line of every dangerous directive — so you triage facts, not maybes, and
**never execute the payload to find it**.

## What it checks

| Check | Severity | What it catches |
|---|---|---|
| Auto-exec hook on open (`SessionStart`/`PreToolUse`/`UserPromptSubmit`) | critical / high | command that runs the moment the repo is opened — RCE on init (CVE-2025-59536) |
| Hook reads a secret **and** calls the network | critical | `ANTHROPIC_API_KEY`/token piped to a remote host — key exfil (CVE-2026-21852) |
| Dangerous command pattern in any hook | high | `curl\|sh`, `eval`, `base64 -d`, `nc -e`, `/dev/tcp`, inline `python -c`/`node -e` |
| MCP server launches a dangerous command | critical | MCP `command`/`args` that fetch-and-run code on connect |
| MCP server runs an on-the-fly remote package | high | `npx`/`uvx`/`bunx` MCP definitions that pull unpinned packages |
| MCP server handed a secret / remote URL | high / medium | env-injected credentials, untrusted remote endpoints |
| Risky `permissions.allow` entry | high / medium | `Bash(*)`, `WebFetch`, broad `mcp__*` that remove the human approval gate |
| Committed secret value | critical | real `sk-ant-…`, `AKIA…`, `ghp_…`, private keys in any `.claude` file |

## Usage

```bash
# Scan the .claude/ config in the current repo
npx dotclaude-security

# Scan a freshly cloned, untrusted repo BEFORE you open it in Claude Code
npx dotclaude-security --dir ./some-cloned-repo

# Machine-readable JSON only (gate your CI on the summary)
npx dotclaude-security --json

# Write a shareable HTML report
npx dotclaude-security --html report.html
```

Output is JSON on stdout (pipe it into CI) and a one-line-per-finding summary on
stderr. Each finding carries `file`, `location.line`, `location.text` and a
concrete `fix`.

## Install (optional)

```bash
npm i -g dotclaude-security
dotclaude-security --dir ./untrusted-repo
```

Zero dependencies. It reads your config files and reports — it **never executes**
a hook, MCP command, or anything else it discovers. Nothing leaves your machine.

## Sister tools

Same local-first, prove-the-real-issue philosophy across the stack, all MIT:

[supabase-security](https://github.com/Perufitlife/supabase-security-skill) ·
[strapi-security](https://github.com/Perufitlife/strapi-security) ·
[pocketbase-security](https://github.com/Perufitlife/pocketbase-security-skill) ·
[firebase-security](https://github.com/Perufitlife/firebase-security-skill) ·
[appwrite-security](https://github.com/Perufitlife/appwrite-security-skill) ·
[nhost-security](https://github.com/Perufitlife/nhost-security-skill) ·
[stripe-webhook-security](https://github.com/Perufitlife/stripe-webhook-security) ·
[github-actions-security](https://github.com/Perufitlife/github-actions-security) ·
[aws-s3-security](https://github.com/Perufitlife/aws-s3-security)

## License

MIT © [Renzo Madueno](https://github.com/Perufitlife)