CVE-2025-52882: 
JavaScript vulnerability analysis and mitigation

Claude Code, an agentic coding tool, was discovered to have a critical vulnerability (CVE-2025-52882) affecting its IDE extensions. The vulnerability impacts Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 and Claude Code [beta] versions 0.1.1 through 0.1.8 for JetBrains IDEs. The issue was discovered and patched on June 13th, 2025, with public disclosure on June 23rd, 2025 (Wiz, GitHub Advisory).

The vulnerability is classified as CWE-1385 (Missing Origin Validation in WebSockets) and received a CVSS v4.0 base score of 8.8 (High). The technical assessment indicates the vulnerability has Network attack vector, Low attack complexity, requires Present attack requirements, No privileges required, and Passive user interaction. The vulnerability impacts both Confidentiality and Integrity with High severity, while having No impact on Availability for both vulnerable and subsequent systems (NVD, GitHub Advisory).

In VSCode and its forks, successful exploitation enables attackers to read arbitrary files, access lists of open files, obtain selection and diagnostics events from the IDE, and potentially execute code in scenarios where users have open Jupyter Notebooks and accept malicious prompts. For JetBrains IDEs, the impact is limited to obtaining selection events, accessing lists of open files, and viewing syntax error lists (GitHub Advisory).

Users should update their IDE extensions to patched versions: VSCode users should update to version 1.0.24 or later, while JetBrains IDE users should update to version 0.1.9 [Beta] or later. For VSCode and forks, users can update through View->Extensions, locate Claude Code for VSCode, and update or uninstall versions prior to 1.0.24. For JetBrains IDEs, users should open the Plugins list, locate Claude Code [Beta], and update or uninstall versions prior to 0.1.9. A restart of the IDE is required after updating (GitHub Advisory).