Claude Code Insecure Configuration Loading Vulnerability on Windows Systems Prior to Version 2.1.75
Vulnerability
A vulnerability in Claude Code on Windows has been identified, where the application loads system-wide default configurations from a user-writable directory without proper validation of directory ownership or access permissions. This issue affects versions prior to 2.1.75. The vulnerability allows low-privileged local users to create a malicious configuration file that could be loaded by any user running Claude Code on the same machine. Exploitation would require a shared multi-user Windows environment and for the victim user to launch Claude Code after the malicious file has been placed.
Impact
Exploitation of this vulnerability could lead to unauthorized modification of the application's configuration, potentially allowing for malicious code execution or other harmful actions within the application.
Remediation
Users on the standard Claude Code auto-update have already received the fix. Those performing manual updates should update to the latest version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.