CVE-2025-59041

Description

At startup, Claude Code constructed a shell command that interpolated the value of `git config user.email` from the current workspace. If an attacker controlled the repository’s Git config (e.g., via a malicious `.git/config`) and set `user.email` to a crafted payload, the unescaped interpolation could trigger arbitrary command execution **before** the user accepted the workspace-trust dialog. The issue affects versions prior to `1.0.105`. The fix in `1.0.105` avoids executing commands built from untrusted configuration and properly validates/escapes inputs. * **Patches:** Update to `@anthropic-ai/claude-code` `1.0.105` or later. * **Workarounds:** Open only trusted workspaces and inspect repository `.git/config` before launch; avoid inheriting untrusted Git configuration values. > Thank you to the NVIDIA AI Red Team for reporting this issue!

How to fix CVE-2025-59041

To remediate CVE-2025-59041, upgrade the affected package to a fixed version below.

• —upgrade to 1.0.105 or later

Is CVE-2025-59041 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.0.105

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-59041
• PATCHgithub.com/anthropics/claude-code
• WEBgithub.com/anthropics/claude-code/security/advisories/GHSA-j4h9-wv2m-wrf7
• WEBwww.npmjs.com/package/@anthropic-ai/claude-code/v/1.0.105