Claude Code Bubblewrap Sandbox Escape Vulnerability via Persistent Configuration Injection

A vulnerability in Claude Code prior to version 2.1.2 allows for a sandbox escape by improperly managing the .claude/settings.json file within its bubblewrap sandbox. When Claude Code is launched and this configuration file is absent, the sandbox fails to enforce proper protections. Although the parent directory is writable and .claude/settings.local.json is safeguarded with read-only restrictions, the settings.json file remains unprotected if missing. This oversight enables malicious code executed within the sandbox to generate the settings.json file and insert persistent commands, such as SessionStart hooks, which would run with host privileges upon restarting Claude Code. The issue has been resolved in version 2.1.2.

Impact

Exploitation of this vulnerability allows for unauthorized modification of the .claude/settings.json file, enabling the injection of persistent commands that execute with host privileges when Claude Code is restarted. This represents a significant breach of the application's sandboxing mechanism, potentially leading to unauthorized access or control over the host environment.

Remediation

Users of Claude Code who utilize the standard auto-update feature have already received the patch in version 2.1.2. Those performing manual updates should upgrade to the latest version.