SB2026043046 - Multiple vulnerabilities in Claude Code

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Code Injection (CVE-ID: CVE-2025-59041)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in the startup command handling of git config user.email when processing a maliciously configured git email value. A remote attacker can supply a specially crafted git email configuration to execute arbitrary code.

Exploitation can occur before a user accepts the workspace trust dialog.

2) Code Injection (CVE-ID: CVE-2025-58764)

The vulnerability allows a remote attacker to execute untrusted commands.

The vulnerability exists due to improper command parsing in the rg command when processing untrusted content in a Claude Code context window. A remote attacker can add crafted untrusted content to bypass the user approval prompt and execute untrusted commands.

Reliably exploiting this issue requires the ability to add untrusted content into a Claude Code context window.

Remediation

Install update from vendor's website.

References

• https://github.com/anthropics/claude-code/security/advisories/GHSA-j4h9-wv2m-wrf7
• https://github.com/anthropics/claude-code/security/advisories/GHSA-qxfv-fcpc-w36x
• https://github.com/advisories/GHSA-qxfv-fcpc-w36x