Security researchers have discovered critical vulnerabilities in Anthropic’s Claude Code that allow attackers to bypass security restrictions and execute unauthorized commands, with the AI assistant itself helping to facilitate these attacks.
The vulnerabilities, designated CVE-2025-54794 and CVE-2025-54795, demonstrate how sophisticated AI tools designed to enhance developer productivity can become vectors for system compromise when security boundaries are improperly implemented.
Discovery and Impact
The vulnerabilities were identified by security researcher Elad Beber from Cymulate during Anthropic’s Research Preview phase.
| CVE ID | Vulnerability Type | CVSS Score | Affected Versions | Fixed Version |
| CVE-2025-54794 | Path Restriction Bypass | 7.7 | < v0.2.111 | v0.2.111 |
| CVE-2025-54795 | Command Injection | 8.7 | < v1.0.20 | v1.0.20 |
In a remarkable twist, Beber used Claude itself to reverse-engineer Claude Code’s security mechanisms, with the AI unwittingly providing insights into its own vulnerabilities.
This “InversePrompt” approach highlighted fundamental flaws in the assistant’s path validation and command execution controls.
Claude Code, Anthropic’s AI-powered coding assistant, is designed to help developers write, analyze, and execute code through natural language prompts.
The system operates with user-level privileges and implements security controls including current working directory (CWD) restrictions and whitelisted command execution to prevent unauthorized system access.
Path Restriction Bypass Vulnerability
CVE-2025-54794 affects the core containment mechanism that restricts Claude Code’s file operations to a designated working directory.
The vulnerability stems from naive prefix-based path validation that can be circumvented through directory name manipulation.
When Claude Code validates file paths, it uses a simple prefix check that compares the resolved path against the current working directory.
Attackers can exploit this flaw by creating directories with names that begin with the same prefix as the legitimate working directory.
For example, if Claude Code operates in “/Users/developer/project”, an attacker could access “/Users/developer/project_malicious” because it shares the same prefix.
This bypass enables unauthorized file access and can be combined with symbolic links for complete filesystem traversal.
Command Injection Flaw
The second vulnerability, CVE-2025-54795, targets Claude Code’s command execution system.
While the assistant maintains a whitelist of approved commands like echo, pwd, and whoami that execute without user confirmation, improper input sanitization allows command injection attacks.
Researchers demonstrated that attackers can craft payloads using whitelisted commands as wrappers for arbitrary code execution.
A simple example involves terminating an echo command’s string parameter and appending malicious commands: echo “”; malicious_command; echo ””.
Since the base command remains whitelisted, Claude Code executes the entire payload without requesting user approval.
Anthropic responded promptly to the vulnerability disclosure, releasing patches for both issues.
Users should immediately update to Claude Code v0.2.111 or later to address the path restriction bypass, and v1.0.20 or later to resolve the command injection vulnerability.
These discoveries underscore the security challenges inherent in AI-powered development tools and highlight the importance of robust input validation and containment mechanisms in systems that bridge natural language interfaces with system-level operations.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
