CVE-2025-54794
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-10-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anthropic | claude_code | to 0.2.111 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a path restriction bypass in Claude Code versions before 0.2.111. It occurs because the software uses prefix matching instead of proper canonical path comparison to validate file paths. This flaw allows an attacker to bypass directory restrictions and access files outside the current working directory if a directory with the same prefix exists or can be created, and if untrusted content can be injected into a Claude Code context window. [1]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to files outside the intended directory, potentially exposing sensitive data or allowing manipulation of files. It has a high impact on confidentiality, integrity, and availability of the vulnerable system. Remote attackers can exploit this with low complexity and no privileges required, making it a significant security risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying the installed version of Claude Code to see if it is below v0.2.111, as those versions are vulnerable. Additionally, checking for the presence or creation of directories with the same prefix as the current working directory (CWD) and monitoring for untrusted content injection into Claude Code context windows may indicate exploitation attempts. Specific commands to check the version could include: `claude-code --version` or inspecting package.json or installed package versions via `npm list @anthropic-ai/claude-code`. Monitoring file system activity for unusual directory creations or access outside the CWD may require custom scripts or file integrity monitoring tools. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Claude Code to version 0.2.111 or later, as the vulnerability is fixed in that version. Users on standard Claude Code auto-update receive the patch automatically. Additionally, restrict the ability to create directories with the same prefix as the CWD and prevent injection of untrusted content into Claude Code context windows to reduce exploitation risk. [1]