A critical unauthenticated WebSocket vulnerability (CVE-2025-52882) in Anthropic’s Claude Code IDE extensions allowed malicious websites to connect to local MCP servers and execute commands, including reading local files and running code in Jupyter notebooks; the flaw is fully patched in version 1.0.24 and later and vulnerable versions were removed from extension stores. #ClaudeCode #CVE-2025-52882
Keypoints
- The Claude Code IDE extensions for VS Code and other IDEs exposed an unauthenticated local WebSocket MCP server that could be reached by malicious websites, enabling remote command execution.
- CVE-2025-52882 has a CVSS score of 8.8 (High) and affects Claude Code extension versions 1.0.23 and earlier; the issue is fully patched in 1.0.24 and later.
- An attacker could exploit the flaw by luring a user to a webpage with JavaScript that probes localhost ports, establishes a WebSocket to the MCP server, and issues JSON-RPC MCP commands (e.g., tools/list, tools/call) to read files or run code.
- The vulnerability resulted from design choices: unauthenticated WebSocket server, browser WebSocket behavior bypassing same-origin restrictions, localhost binding not providing protection, and dynamic port assignment susceptible to brute force.
- An exploit requires only visiting a malicious site and produces no browser warnings for localhost WebSocket connections, making it highly scalable (including via ads) and stealthy.
- Anthropic removed vulnerable extension versions from marketplaces, released patched versions, and the fix adds an auth token stored in a local lock file that the Claude Code CLI provides for WebSocket authentication.
- This issue is part of a broader pattern of MCP and IDE integration vulnerabilities (e.g., CVE-2025-49596, CVE-2025-6514) highlighting the need for stronger authentication and input validation in AI development tools.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The attacker exploited a publicly reachable web page to run JavaScript that probed localhost ports and connected to the MCP server (“An attacker lures a victim to a malicious website or compromises a legitimate site with malicious JavaScript code”).
- [T1059] Command and Scripting Interpreter – The attacker executed commands via the MCP protocol once connected, including reading files and running Jupyter notebook code (“the attacker could then execute the commands available in the MCP server, which included reading local files and executing code in Jupyter notebooks within the IDE”).
- [T1040] Network Sniffing / Port Scanning – The malicious script performed port discovery by systematically attempting WebSocket connections across common port ranges to find the MCP server (“The malicious script systematically attempts WebSocket connections to localhost across common port ranges”).
- [T1071] Application Layer Protocol – The exploit used WebSocket (ws://localhost:port) connections and JSON-RPC 2.0 messages to communicate with the MCP server (“attackers could send JSON-RPC 2.0 messages … ping, tools/list, tools/call”).
- [T1195] Supply Chain Compromise (adjacent) – The vulnerability involved an IDE extension component and marketplace distribution, with vulnerable versions removed from extension stores and automatic updates pushed (“Anthropic has pulled all vulnerable versions of the extension from applicable marketplaces” and “extension is configured to automatically update”).
Indicators of Compromise
- [File/Version] vulnerable extension versions – Claude Code extension versions 1.0.23 and earlier (update to 1.0.24 or later to remediate).
- [Protocol/URL] local WebSocket endpoint – example ws://localhost:42603 (attackers probed similar dynamic MCP ports by brute force).
- [CVE] vulnerability identifiers – CVE-2025-52882 (primary), referenced related CVEs: CVE-2025-49596, CVE-2025-6514, CVE-2025-53110, CVE-2025-53109.
- [Config/Artifact] auth token lock file – patched behavior stores an auth token in a local lock file used by the Claude Code CLI for WebSocket authentication (verify presence and token usage).
Read more: https://securitylabs.datadoghq.com/articles/claude-mcp-cve-2025-52882/