GHSA-9F65-56V6-GXW7

Vulnerability from github – Published: 2025-06-23 21:22 – Updated: 2025-06-27 23:07
VLAI?
Summary
Claude Code Improper Authorization via websocket connections from arbitrary origins
Details

Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 are vulnerable. For Jetbrains IDE plugins, Claude Code [beta] versions 0.1.1 through 0.1.8 are vulnerable.

In VSCode (and forks), exploitation would allow an attacker to read arbitrary files, see the list of files open in the IDE, get selection and diagnostics events from the IDE, or execute code in limited situations where a user has an open Jupyter Notebook and accepts a malicious prompt. In JetBrains IDEs, an attacker could get selection events, a list of open files, and a list of syntax errors.

Remediation

We released a patch for this issue on June 13th, 2025. Although Claude Code auto-updates when you launch it and auto-updates the extensions, you should take the following steps (the exact steps depend on your IDE).

VSCode, Cursor, Windsurf, VSCodium, and other VSCode forks Extension Name: Claude Code for VSCode

Instructions:

  1. Open the list of Extensions (View->Extensions)
  2. Look for Claude Code for VSCode among installed extensions
  3. If you have a version < 1.0.24, click “Update” (or “Uninstall”)
  4. Restart the IDE

All JetBrains IDEs including IntelliJ, PyCharm, and Android Studio Plugin name: Claude Code [Beta]

Instructions:

  1. Open the Plugins list
  2. Look for Claude Code [Beta] among installed extensions
  3. Update (or Uninstall) the plugin if the version is < 0.1.9
  4. Restart the IDE
Severity ?
8.8 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@anthropic-ai/claude-code"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.116"
            },
            {
              "fixed": "1.0.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-52882"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1385",
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-23T21:22:22Z",
    "nvd_published_at": "2025-06-24T20:15:26Z",
    "severity": "HIGH"
  },
  "details": "Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 are vulnerable. For Jetbrains IDE plugins, Claude Code [beta] versions 0.1.1 through 0.1.8 are vulnerable.  \n\nIn VSCode (and forks), exploitation would allow an attacker to read arbitrary files, see the list of files open in the IDE, get selection and diagnostics events from the IDE, or execute code in limited situations where a user has an open Jupyter Notebook and accepts a malicious prompt. In JetBrains IDEs, an attacker could get selection events, a list of open files, and a list of syntax errors.\n\n**Remediation**\n\nWe released a patch for this issue on June 13th, 2025. Although Claude Code auto-updates when you launch it and auto-updates the extensions, you should take the following steps (the exact steps depend on your IDE).\n\n**VSCode, Cursor, Windsurf, VSCodium, and other VSCode forks**\nExtension Name: Claude Code for VSCode\n\nInstructions:\n\n1. Open the list of Extensions (View-\u003eExtensions)\n2. Look for Claude Code for VSCode among installed extensions\n3. If you have a version \u003c 1.0.24, click \u201cUpdate\u201d (or \u201cUninstall\u201d)\n4. Restart the IDE \n\n**All JetBrains IDEs including IntelliJ, PyCharm, and Android Studio**\nPlugin name: Claude Code [Beta]\n\nInstructions:\n\n1. Open the Plugins list\n2. Look for Claude Code [Beta] among installed extensions\n3. Update (or Uninstall) the plugin if the version is \u003c 0.1.9\n4. Restart the IDE",
  "id": "GHSA-9f65-56v6-gxw7",
  "modified": "2025-06-27T23:07:59Z",
  "published": "2025-06-23T21:22:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-9f65-56v6-gxw7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52882"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/anthropics/claude-code"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Claude Code Improper Authorization via websocket connections from arbitrary origins"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.