CVE-2025-59536: 
JavaScript vulnerability analysis and mitigation

CVE-2025-59536 affects Claude Code, an agentic coding tool. The vulnerability was discovered and disclosed on October 3, 2025, affecting versions before 1.0.111. The issue stems from a bug in the startup trust dialog implementation that could allow code execution before user acceptance of the trust dialog (GitHub Advisory).

The vulnerability is classified as a Code Injection vulnerability (CWE-94) where Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. The CVSS v4.0 score is 8.7 (High), with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The vulnerability requires a user to start Claude Code in an untrusted directory (GitHub Advisory).

The vulnerability has high impact ratings for confidentiality, integrity, and availability of the vulnerable system. If exploited, it could allow attackers to execute arbitrary code through the Claude Code application before the user has accepted the trust dialog (GitHub Advisory).

The vulnerability has been fixed in version 1.0.111. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version (GitHub Advisory).