CVE-2025-52882: WebSocket authentication bypass in Claude Code extensions

A critical unauthenticated WebSocket vulnerability (CVE-2025-52882, CVSS 8.8) in Anthropic's Claude Code IDE extensions for VS Code allowed malicious websites to connect to local MCP servers on localhost, enabling attackers to execute MCP commands, read local files, and run code in notebooks; the issue has been fixed in version 1.0.24 and earlier vulnerable versions removed from extension marketplaces.