One Trust Click Can Expose Claude Code to Remote Code Execution, Researchers Say
Adversa AI says a TrustFall proof of concept uses MCP project settings to turn Claude Code's trust prompt into remote code execution risk for developers.
One Trust Click Can Expose Claude Code to Remote Code Execution, Researchers Say
A cloned repository can turn a routine trust prompt into a remote-code-execution path in popular AI coding tools, according to The Register, citing research from security firm Adversa AI. The proof of concept, called TrustFall, targets the way agentic command-line tools handle Model Context Protocol settings inside a project folder.
The Register reported that the attack uses two JSON files, .mcp.json and .claude/settings.json, to connect a developer's environment to an attacker-controlled MCP server. MCP servers expose tools, configuration data, schemas, and documentation to AI models through JSON, The Register noted, which makes them powerful plumbing for AI coding agents and a tempting place to hide trust decisions.
The weak point, according to The Register's account of Adversa AI's research, is that Anthropic blocks some risky project-level settings, such as bypassPermissions, but not others, including enableAllProjectMcpServers and enabledMcpjsonServers. Adversa AI said that once a developer accepts Claude Code's generic "Yes, I trust this folder" dialog, the malicious MCP server can run as an unsandboxed Node.js process with the user's privileges, without a separate per-server consent step or a Claude tool call.
The Register said Anthropic treated an earlier issue, CVE-2025-59536, differently because it could trigger automatically when Claude Code started inside a malicious directory. In TrustFall, The Register said, Anthropic's line is that the prompt changes the security boundary, while Adversa AI says the prompt does not explain that project files can turn on MCP servers with broad local access.
The Register said Adversa AI's demo worked on Claude Code CLI v2.1.114 as of May 2, and that the firm also named Gemini CLI, Cursor CLI, and Copilot CLI as affected by the same class of attack, though specific public proofs of concept were not provided for those tools. Alex Polyakov, Adversa AI's co-founder, told The Register that this is the third Claude Code CVE in six months tied to project-scoped settings as an injection vector.
Anthropic's position, as described by The Register, is that TrustFall falls outside its threat model because the user sees a trust dialog before the attack path opens. Adversa AI argues that the consent is too vague because most developers don't know a cloned repository can silently enable MCP settings. That is the real warning for AI tooling teams: a single folder-level prompt is no longer enough when agents can wire new tools into a developer's machine.
Photo by Daniil Komov on Unsplash
