Wiz
Vulnerability DatabaseCVE-2025-59829

CVE-2025-59829
JavaScript vulnerability analysis and mitigation

Overview

Claude Code, an agentic coding tool, was found to have a security vulnerability in versions below 1.0.120 where it failed to properly handle symlinks during permission deny rule checks. The vulnerability (CVE-2025-59829) was disclosed on October 3, 2025, and allows unauthorized file access through symlink manipulation despite explicit deny rules (GitHub Advisory).

Technical details

The vulnerability is classified as CWE-61 (UNIX Symbolic Link Following) with a CVSS v4.0 base score of 2.3 (Low). The technical issue stems from Claude Code's failure to properly validate symlinks when enforcing permission deny rules, allowing potential access to explicitly denied files through symlink redirection. The attack vector is network-based with low attack complexity, requiring passive user interaction and no privileges (NVD, GitHub Advisory).

Impact

The vulnerability results in low confidentiality and integrity impacts, with no availability impact. If exploited, an attacker could bypass intended file access restrictions and gain unauthorized access to files that were explicitly denied through permission rules (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been fixed in Claude Code version 1.0.120. Users on standard Claude Code auto-update have received this fix automatically. Users performing manual updates are advised to update to the latest version immediately (GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-23947CRITICAL9.3
  • JavaScriptJavaScript
  • @orval/core
NoYesJan 20, 2026
CVE-2026-23950HIGH8.8
  • JavaScriptJavaScript
  • grafana-graphite
NoYesJan 20, 2026
CVE-2026-22037HIGH8.4
  • JavaScriptJavaScript
  • @fastify/express
NoYesJan 19, 2026
CVE-2026-23522LOW3.7
  • JavaScriptJavaScript
  • @lobehub/chat
NoNoJan 19, 2026
CVE-2025-66803LOW1.7
  • JavaScriptJavaScript
  • @hotwired/turbo
NoYesJan 20, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo