GHSA-ph6w-f82w-28w6: 
JavaScript vulnerability analysis and mitigation

A high severity vulnerability (GHSA-ph6w-f82w-28w6) was identified in Claude Code affecting versions < 1.0.87. The vulnerability was discovered and reported by avivdon through HackerOne, published on September 2, 2025, and updated on September 3, 2025. The issue stems from insufficient warning messages when starting Claude Code in a new directory, potentially leading to arbitrary code execution (GitHub Advisory).

The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) with a CVSS v4 score of 8.7 (High). The technical assessment shows Network attack vector, Low attack complexity, No attack requirements, No privileges required, and Passive user interaction. The vulnerability impacts have been rated High for Confidentiality, Integrity, and Availability of the vulnerable system, while Subsequent System impacts are rated None (GitHub Advisory).

When exploited, this vulnerability could allow arbitrary code execution in the context of the user's system. The high CVSS scoring indicates significant potential impact on system confidentiality, integrity, and availability. The vulnerability could enable attackers to execute malicious code when users interact with untrusted directories (GitHub Advisory).

The vulnerability has been patched in version 1.0.87 of Claude Code. Users with automatic updates enabled will receive the fix automatically. Those managing updates manually are advised to upgrade to the latest version immediately. The fix includes improved warning messages that clearly communicate the implications of trusting files in a new directory (GitHub Advisory).