CVE-2025-59829: 
JavaScript vulnerability analysis and mitigation

Claude Code, an agentic coding tool, was found to have a security vulnerability (CVE-2025-59829) related to symlink handling. The issue was discovered and disclosed on October 3, 2025. The vulnerability affects versions of Claude Code below 1.0.120, where the software failed to properly handle symlinks when enforcing permission deny rules (GitHub Advisory).

The vulnerability is classified as CWE-61 (UNIX Symbolic Link Following) with a CVSS v4.0 base score of 2.3 (Low). The CVSS vector string is CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N, indicating network attack vector, low attack complexity, passive user interaction required, and low impact on confidentiality and integrity (GitHub Advisory).

When exploited, this vulnerability could allow unauthorized access to files that were explicitly denied through permission rules. The impact is considered low, with potential compromise of confidentiality and integrity of the vulnerable system, though no impact on availability was noted (GitHub Advisory).

The vulnerability has been fixed in version 1.0.120 of Claude Code. Users with automatic updates enabled will have received the fix automatically. Those performing manual updates are advised to update to the latest version immediately (GitHub Advisory).

The vulnerability was responsibly disclosed through HackerOne by user 'vinai', demonstrating effective collaboration between security researchers and the development team (GitHub Advisory).