应改变你审查 AI 生成代码方式的 Claude Code CVE
📄 中文摘要
Check Point Research 上个月发布了关于 Claude Code 的两个关键漏洞的详细信息,其中一个漏洞(CVE-2025-59536,CVSS 8.7)允许在克隆的代码库中运行时立即进行远程代码执行,无需接受提示或运行任何代码。另一个漏洞(CVE-2026-21852,CVSS 5.3)则在用户看到信任对话框之前,悄悄地将用户的 API 流量(包括完整的授权头)重定向到攻击者控制的服务器。虽然这两个漏洞现已修复,但它们揭示了我们在没有安全审查的情况下,悄然接受的新威胁模型。
📄 English Summary
The Claude Code CVE That Should Change How You Review AI-Generated Code
Last month, Check Point Research revealed two critical vulnerabilities in Claude Code, one of which (CVE-2025-59536, CVSS 8.7) enabled remote code execution the moment the tool was launched in a cloned repository, without requiring user prompts or code execution. The other vulnerability (CVE-2026-21852, CVSS 5.3) silently redirected API traffic, including the full authorization header, to an attacker-controlled server before the user encountered any trust dialog. While both vulnerabilities have been patched, they highlight a new threat model that has been quietly adopted without proper security reviews.
Powered by Cloudflare Workers + Payload CMS + Claude 3.5
数据源: OpenAI, Google AI, DeepMind, AWS ML Blog, HuggingFace 等