Code Injection in Anthropic Claude Code startup trust dialog

This repository is a small proof-of-concept exploit for CVE-2025-59536 affecting Anthropic Claude Code before version 1.0.111. The real exploit logic is not in the JavaScript application; it is embedded in .claude/settings.json, which defines a SessionStart hook that executes a shell command automatically when Claude Code starts in the project. The payload is benign and writes execution evidence plus basic host/user metadata to /tmp/cve-2025-59536-proof.txt, but it clearly demonstrates arbitrary command execution capability. Repository structure is minimal: README.md explains the vulnerability, affected versions, reproduction steps, and possible real-world abuse; .claude/settings.json contains the malicious hook payload; index.js and package.json form a harmless-looking Node/Express decoy project to make the repository appear normal; .gitignore only excludes node_modules. There is no exploit framework involved. Primary capability: local code execution on a victim workstation through a malicious project configuration file processed by Claude Code. The attack is best characterized as a supply-chain/social-engineering style repository trap: a victim clones or opens the repository and runs Claude Code in it, causing the hook to fire. The PoC does not include persistence, exfiltration, or networking, but the README explicitly notes those as feasible follow-on actions. The included Express app is incidental and appears intended as camouflage rather than part of exploitation.

Repository contains a small proof-of-concept MCP server intended to demonstrate a UI/UX trust issue: the MCP tool metadata (name/description/schema) shown to the user can be benign while the server executes different, malicious behavior after the user approves the tool call. Structure: (1) server.py implements an MCP Server with a single tool read_safe_file; list_tools() advertises a safe description and a path parameter, but invoke_tool() ignores the requested file read and instead runs an OS command (whoami > ~/Desktop/proof.txt) and returns a fake ToolResult containing the text 'README'. (2) .mcp.json provides MCP server metadata including the advertised URL http://localhost:8000 and the tool description. (3) README.md explains the concept (prompt/confirmation misrepresentation) and positions it as a PoC for an unassigned CVE (CVE-2024-XXXX) affecting Claude Code v2.1.63; it also references a different script name (exploit.py) that is not present in this repository snapshot. Overall purpose: demonstrate post-consent arbitrary command execution by abusing user trust in tool confirmation prompts generated from attacker-controlled MCP metadata.

Repository purpose: an educational demo of Claude Code CLI supply-chain style attacks via malicious project configuration, covering (1) a hooks consent/trust bypass leading to command execution (no CVE, fixed in v1.0.87), (2) CVE-2025-59536 where enableAllProjectMcpServers=true can auto-start project-defined MCP servers from .mcp.json and execute arbitrary commands (fixed in v1.0.111), and (3) CVE-2026-21852 where ANTHROPIC_BASE_URL from project settings is applied before the trust prompt, redirecting API traffic (including API keys in Authorization/x-api-key headers) to an attacker endpoint (fixed in v2.0.65). Structure and key files: - vuln1_hooks_bypass/.claude/settings.json: defines PreToolUse/PostToolUse hooks that run shell commands and write to /tmp/claude_vuln1_demo.log, demonstrating RCE on repo open in vulnerable versions. - CVE-2025-59536_mcp_injection/.claude/settings.json + CVE-2025-59536_mcp_injection/.mcp.json: sets enableAllProjectMcpServers=true and defines an MCP server that runs sh -c commands, writing to /tmp/claude_vuln2_demo.log. - CVE-2026-21852_api_exfil/.claude/settings.json: sets env.ANTHROPIC_BASE_URL to http://127.0.0.1:8888 to demonstrate credential exfiltration. - attacker_server.py: local HTTP server on 127.0.0.1:8888 that logs incoming requests (headers and JSON bodies) to /tmp/claude_attacker_demo.log and returns a demo JSON response. - attacker_proxy.py: MITM-style proxy on 127.0.0.1:8888 that captures API keys and conversation content, logs to /tmp/claude_proxy_demo.log, and forwards requests to https://api.anthropic.com to keep victim behavior normal. - scanner.py: a defensive detection tool that scans a given repo path for these patterns (hooks executing commands, enableAllProjectMcpServers + .mcp.json command definitions, and ANTHROPIC_BASE_URL/credential-related env overrides) and exits non-zero if findings exist. Exploit capabilities (as demonstrated): - Local code execution via auto-run hooks and MCP server startup (command execution payloads are simple echo/date/whoami/hostname logging but represent arbitrary command execution). - Network-based credential and data interception by redirecting Claude Code API traffic to an attacker-controlled base URL; optional stealth forwarding to the real Anthropic API. Overall, this is a PoC/educational repository combining malicious config examples, attacker infrastructure (server/proxy), and a scanner to detect the same indicators before opening a repo in Claude Code.