CVE-2025-59829: 
JavaScript Schwachstellenanalyse und -minderung

Claude Code, an agentic coding tool, was found to have a security vulnerability in versions below 1.0.120 where it failed to properly handle symlinks during permission deny rule checks. The vulnerability (CVE-2025-59829) was disclosed on October 3, 2025, and allows unauthorized file access through symlink manipulation despite explicit deny rules (GitHub Advisory).

The vulnerability is classified as CWE-61 (UNIX Symbolic Link Following) with a CVSS v4.0 base score of 2.3 (Low). The technical issue stems from Claude Code's failure to properly validate symlinks when enforcing permission deny rules, allowing potential access to explicitly denied files through symlink redirection. The attack vector is network-based with low attack complexity, requiring passive user interaction and no privileges (NVD, GitHub Advisory).

The vulnerability results in low confidentiality and integrity impacts, with no availability impact. If exploited, an attacker could bypass intended file access restrictions and gain unauthorized access to files that were explicitly denied through permission rules (GitHub Advisory).

The vulnerability has been fixed in Claude Code version 1.0.120. Users on standard Claude Code auto-update have received this fix automatically. Users performing manual updates are advised to update to the latest version immediately (GitHub Advisory).