CVE-2025-54794

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

C

laude Code is an agentic coding tool. In versions below 0.2.111, a path validation flaw using prefix matching instead of canonical path comparison, makes it possible to bypass directory restrictions and access files outside the CWD. Successful exploitation depends on the presence of (or ability to create) a directory with the same prefix as the CWD and the ability to add untrusted content into a Claude Code context window. This is fixed in version 0.2.111.

References

Link	Resource
https://github.com/anthropics/claude-code/security/advisories/GHSA-pmw4-pwvc-3hx2	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*

History

27 Oct 2025, 18:01

Type	Values Removed	Values Added
References	~~() https://github.com/anthropics/claude-code/security/advisories/GHSA-pmw4-pwvc-3hx2 -~~	() https://github.com/anthropics/claude-code/security/advisories/GHSA-pmw4-pwvc-3hx2 - Vendor Advisory
CPE		cpe:2.3:a:anthropic:claude_code::::::node.js::*
First Time		Anthropic Anthropic claude Code
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1

05 Aug 2025, 14:34

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-05 01:15

Updated : 2025-10-27 18:01

NVD link : CVE-2025-54794

Mitre link : CVE-2025-54794

CVE.ORG link : CVE-2025-54794

JSON object : View

Products Affected

claude_code

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2025-54794", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-05T01:15:41.877", "references": [{"url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-pmw4-pwvc-3hx2", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Claude Code is an agentic coding tool. In versions below 0.2.111, a path validation flaw using prefix matching instead of canonical path comparison, makes it possible to bypass directory restrictions and access files outside the CWD. Successful exploitation depends on the presence of (or ability to create) a directory with the same prefix as the CWD and the ability to add untrusted content into a Claude Code context window. This is fixed in version 0.2.111."}, {"lang": "es", "value": "Claude Code es una herramienta de codificaci\u00f3n agentica. En versiones anteriores a la 0.2.111, una falla de validaci\u00f3n de rutas que utiliza la coincidencia de prefijos en lugar de la comparaci\u00f3n de rutas can\u00f3nicas permite eludir las restricciones de directorio y acceder a archivos fuera del CWD. Para que esta vulnerabilidad funcione, es necesario tener (o poder crear) un directorio con el mismo prefijo que el CWD y poder a\u00f1adir contenido no confiable a una ventana de contexto de Claude Code. Esto se corrigi\u00f3 en la versi\u00f3n 0.2.111."}], "lastModified": "2025-10-27T18:01:20.047", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "41E2EE32-5D62-4EA1-BF73-B7E41510E871", "versionEndExcluding": "0.2.111"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}