Adversa AI TrustFall — Claude Code One-Click RCE

AI relevance: A cloned repository containing .mcp.json and .claude/settings.json can silently enable an attacker-controlled MCP server the instant a developer clicks "Yes, I trust this folder" in Claude Code — spawning an unsandboxed Node.js process with full user privileges, no per-server consent required.

• Adversa AI's TrustFall proof-of-concept targets Claude Code CLI v2.1.114 and also affects Gemini CLI, Cursor CLI, and Copilot CLI.
• The attack exploits inconsistent scoping of project-level settings: Anthropic blocks dangerous settings like bypassPermissions at project scope but not enableAllProjectMcpServers or enabledMcpjsonServers.
• This is the third CVE in Claude Code in six months stemming from the same root cause — project-scoped settings as an injection vector.
• Anthropic considers TrustFall out of scope because the user sees a trust dialog and makes a consent decision. Adversa argues the pre-v2.1 dialog explicitly warned about MCP code execution and offered an opt-out; the current dialog defaults to "Yes, I trust this folder" with no MCP-specific language.
• A zero-click variant applies to CI/CD pipelines that invoke Claude Code via SDK, where no interactive terminal prompt exists at all.
• Adversa recommends: block enableAllProjectMcpServers, enabledMcpjsonServers, and permissions.allow from any project-scoped settings file; implement a dedicated MCP consent dialog defaulting to deny; require per-server interactive consent.

Why it matters

Developers routinely clone and open untrusted repositories. When the trust dialog grants blanket MCP server approval without enumerating which executables will spawn, a single click becomes a full RCE. The fact that this is the third variant from the same design flaw — patched in isolation each time — signals a deeper architectural gap in how AI coding agents scope project-level configuration.

What to do

• Treat "trust this folder" in any AI coding agent as equivalent to running arbitrary code from that repo.
• Review and restrict MCP server configurations in .mcp.json and .claude/settings.json before opening cloned repositories.
• In CI/CD pipelines using Claude Code or similar agents, enforce sandboxed execution and audit project-scoped settings overrides.
• Organizations should consider git-hooks or pre-clone scanning to flag repos containing MCP configuration files.

Sources

• The Register — Anthropic response to 1-click pwn: Shouldn't have clicked 'ok'
• NVD — CVE-2025-59536 (prior Claude Code CVE)
• Adversa AI — TrustFall PoC video