Claude Code Workspace Trust Dialog Bypass Vulnerability

A vulnerability in Claude Code versions prior to 2.1.53 allows for a bypass of the workspace trust confirmation dialog. This issue arises because the application resolves permission modes from settings files, including the repository-controlled .claude/settings.json, before deciding whether to display the trust dialog. A malicious repository could manipulate the permissions.defaultMode setting to bypassPermissions, causing the trust dialog to be silently skipped on the first open. As a result, users could be placed in a permissive mode without seeing the trust confirmation prompt, facilitating unauthorized execution of tools from the attacker-controlled repository.

Impact

Exploitation of this vulnerability allows an attacker to gain execution of tools within Claude Code without the user's explicit consent, by bypassing the necessary trust confirmation dialog.

Remediation

Users on standard Claude Code auto-update have already received the patch for this vulnerability. Those performing manual updates should update to the latest version.