Check Point Research (Aviv Donenfeld and Oded Vanunu) disclosed three vulnerabilities in Claude Code that share a common root cause: project-scoped configuration files execute before the user has any opportunity to evaluate or reject the project.
CVE-2025-59536 specifically bypasses Claude Code's MCP consent dialog. Claude Code is designed to require explicit user approval before initializing MCP servers from a project. A malicious repository can override this security gate through repository-controlled settings, causing MCP servers to initialize — and execute — before trust has been established. Control over what runs in the developer's environment shifts from the user to the repository author.
Any developer who clones and opens an untrusted repository is exposed. The attack requires no additional user interaction beyond navigating to the project directory. Enterprises using Claude Code for code review, onboarding, or automated CI workflows are directly in scope.
Immediate recommendation: Treat all repository .claude/ configuration files from untrusted sources as potentially hostile; do not open unfamiliar repositories with Claude Code without reviewing their configuration layer first.