CVE-2025-59536: 
JavaScript vulnerability analysis and mitigation

CVE-2025-59536 affects Claude Code, an agentic coding tool, in versions before 1.0.111. The vulnerability was discovered and disclosed on October 3, 2025, and involves a code injection vulnerability in the startup trust dialog implementation. The issue allows code execution before user acceptance of the startup trust dialog (GitHub Advisory, NVD).

The vulnerability is classified as CWE-94 (Improper Control of Generation of Code/'Code Injection'). It received a CVSS v4.0 base score of 8.7 (High), with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The vulnerability allows network-based attacks with low attack complexity, requires no privileges but does need passive user interaction, and can result in high impacts to confidentiality, integrity, and availability of the vulnerable system (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary code within Claude Code before the user accepts the startup trust dialog. This presents a significant security risk as it bypasses an important security control mechanism, potentially allowing unauthorized code execution in the application context (GitHub Advisory).

The vulnerability has been fixed in version 1.0.111. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version (GitHub Advisory).