Artificial IntelligencePress Release

Check Point Research Uncovers Critical Claude Code Flaws

Highlighting a Broader Shift in the Threat Model of Enterprise AI Tools

Claude, one of the most widely used Artificial Intelligence (AI) development tools with tens of millions of monthly active users, has become deeply embedded in enterprise development workflows. For many organisations, it is no longer just an ״assistant,״ but rather a core layer within the software development chain.

New research from Check Point Research has uncovered critical vulnerabilities in Claude Code (CVE-2025-59536) that highlight a broader shift in the threat model of enterprise AI tools. The findings demonstrate how a routine action, such as opening a project, could have been leveraged as an entry point into a development environment.

The research revealed that internal mechanisms designed to streamline collaboration could, under certain conditions, be abused to trigger unauthorised actions at the moment a repository was opened. In specific scenarios, simply cloning and launching a malicious repository could allow background processes to execute and attempt to leverage existing development environment permissions.

Key Findings:

  • Silent Command Execution: Claude Code includes automation capabilities that allow predefined actions to run when a session begins. This means that simply opening a malicious repository could trigger hidden execution on a developer’s machine, without any additional interaction beyond launching the project.

  • User Consent Bypass (CVE-2025-59536): Claude Code integrates with external tools via the MCP, enabling additional services to be initialised when a project is opened. Researchers found that repository-controlled configuration settings could override these safeguards. When code runs before trust is established, the control model is inverted, shifting authority from the user to repository-defined configuration and expanding the AI-driven attack surface.

  • API Key Theft Before Trust Confirmation: The most concerning finding involved credential exposure. Claude Code communicates with Anthropic’s services using an API key. Researchers demonstrated that API traffic, including the full authorisation header, could be redirected to an attacker-controlled server before the user confirmed trust in the project directory.

Oded Vanunu, Head of Product Vulnerability Research at Check Point, explained: “This research highlights a fundamental shift in how we need to think about risk in the AI era. AI development tools are no longer peripheral utilities—they are becoming infrastructure. When automation layers gain the ability to influence execution and environment behaviour, trust boundaries change. Organisations accelerating AI adoption must ensure their security models evolve at the same pace.”

CSA Editorial

Launched in Jan 2018, in partnership with Cyber Security Malaysia (an agency under MOSTI). CSA is a news and content platform focusing on key issues in cybersecurity in the region. CSA is targeted to serve the needs of cybersecurity professionals, IT professionals, Risk professionals and C-Levels who have an obligation to understand the impact of cyber threats.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *