"The moment a developer presses Enter on Claude Code's generic 'Yes, I trust this folder' dialog, the server spawns as an unsandboxed Node.js process with the user's full privileges — no per-server consent, no tool call from Claude required," Adversa AI explains in its PoC repo.
How TrustFall delivers a one-click remote code execution
Security firm Adversa AI published a TrustFall proof-of-concept showing how two JSON files commonly found in cloned repositories — .mcp.json and .claude/settings.json — can instruct a Model Context Protocol (MCP) server to run under a developer's account. MCP servers expose tools, configuration data, schemas and documentation to models via JSON; the PoC demonstrates that these files can point the client at an attacker-controlled MCP server. Adversa's video demonstration worked on Claude Code CLI v2.1.114 as of May 2.
Why project-scoped settings are the injection vector
Adversa says the vulnerability stems from inconsistent project-level restrictions. Anthropic, the maker of Claude Code, blocks some dangerous settings at the project level — for example, bypassPermissions — but does not block others, including enableAllProjectMcpServers and enabledMcpjsonServers. Those unblocked settings can be written into the project JSON files and used to enable attacker-controlled servers; when the trust dialog is accepted, the server process is spawned with full user privileges.
Anthropic's threat-model stance and the history of CVE patches
Adversa notes that CVE-2025-59536 was treated as a vulnerability because it triggered automatically when a user started Claude Code in a malicious directory. By contrast, Adversa says Anthropic contends that the TrustFall PoC falls outside the company's threat model because the user is shown a dialog box and therefore has made a "trust decision." Alex Polyakov, co-founder of Adversa AI, told The Register in an email: "It's the third CVE in Claude Code in six months from the same root cause (project-scoped settings as injection vector)." Polyakov added that each issue has been patched in isolation without addressing what Adversa describes as the underlying class of flaws.
Developer UX: a removed warning and a default that favors trust
Adversa's Sergey Malenkovich says Claude Code's pre-v2.1 dialog "explicitly warned that .mcp.json could execute code and offered three options including 'proceed with MCP servers disabled'." According to Adversa, that informed-consent UX was removed in v2.1. The current dialog, Adversa argues, defaults to "Yes, I trust this folder" with no MCP-specific language, no enumeration of which executables will spawn, and no opt-out for MCP while preserving other trust grants.
CI/CD pipelines and the zero-click variant
Adversa warns of a zero-click risk for CI/CD systems that invoke Claude Code via the SDK rather than the interactive CLI. In that non-interactive mode, the terminal prompt is absent; Adversa argues the same project-scoped settings can be abused to enable attacker-controlled MCP servers without any interactive confirmation, allowing automated pipelines to spawn unsandboxed processes.
What Adversa AI recommends, and who is affected
- Adversa proposes three changes it says Anthropic should make: block enableAllProjectMcpServers, enabledMcpjsonServers, and permissions.allow from any settings file inside a project; implement a dedicated MCP consent dialog that defaults to "deny"; and require interactive consent per server rather than a single blanket trust grant for all servers.
- Anthropic did not respond to a request for comment, according to the reporting.
What this means for developers, CI/CD teams, and Anthropic
- Developers and security teams: Repositories can contain .mcp.json and .claude/settings.json that change runtime behavior; the PoC shows a single affirmative trust click can spawn an unsandboxed Node.js process with full user privileges, creating immediate compromise risk for machines used for development.
- CI/CD and DevOps teams: When Claude Code is invoked through the SDK in CI/CD, interactive prompts do not appear. Adversa highlights a practical "zero-click" pathway where automated builds or deployments could run attacker-specified MCP servers without any human confirmation.
- Anthropic and product managers: Adversa frames the issue as a recurring root cause — project-scoped settings as an injection vector — and recommends blocking specific project settings and restoring or hardening consent flows; Anthropic's position that interactive trust decisions move the issue outside its threat model is central to whether product changes are pursued.
Adversa AI's TrustFall PoC joins a string of confirmations that project-scoped settings can serve as an injection vector for agent CLIs; the company argues that user-facing consent must be both specific and opt-out by default, and that project files should not be able to approve their own servers. With three CVEs tied to the same root cause in six months, the core question left on the table is whether product-side defenses and consent UX will be tightened to remove project-scoped approvals from the attack surface, or whether fixes will continue to be applied piecemeal.
