Two high-severity vulnerabilities in Anthropic’s Claude Code could allow attackers to escape restrictions and execute unauthorized commands. Most remarkably, Claude itself unwittingly assisted in developing the exploits used against its own security mechanisms.
The vulnerabilities uncovered by Elad Beber from Cymulate, CVE-2025-54794 and CVE-2025-54795, demonstrate how AI systems’ analytical capabilities can be turned against their own security controls through careful prompt crafting.
Claude Code operates as Anthropic’s AI-powered coding assistant, designed to help developers write and execute code through natural language. Its security relies on two primary defenses: Current Working Directory (CWD) restrictions that sandbox file operations, and command whitelisting that permits only pre-approved operations like ls, cat, and echo.
CVE-2025-54794: Path Restriction Bypass
The first vulnerability exploits naive prefix-based path validation in Claude Code’s directory containment system. When validating file paths, the system simply checks if a requested path begins with the approved directory prefix.
An attacker can bypass this by creating a directory with a similar prefix. For example, if the working directory is /tmp/allowed_dir, creating /tmp/allowed_dir_malicious would pass validation because it starts with the approved prefix. This grants unauthorized access to files outside the intended sandbox.
When combined with symbolic links, this vulnerability enables access to critical system files, potentially leading to privilege escalation in environments where Claude Code runs with elevated privileges.
CVE-2025-54795: Command Injection
The second vulnerability allows arbitrary command execution through improper input sanitization of whitelisted commands. Attackers can inject malicious commands while masquerading as legitimate operations.
The attack exploits the echo command using a template like: echo ""; . This payload terminates the echo string, injects the attacker’s command, then resumes echo to maintain legitimacy. Since the construct appears to originate from a whitelisted command, Claude Code executes it without user confirmation.
Beber demonstrated this by making Claude execute open -a Calculator, launching applications without authorization.
The most striking aspect of Beber’s research was how Claude actively participated in developing exploits against itself. Through iterative refinement, Claude analyzed failed attack attempts, identified why they didn’t work, and suggested improvements to bypass its own protections.
This recursive vulnerability development reveals a fundamental AI security challenge: these systems can be directed toward identifying and exploiting their own weaknesses through social engineering and prompt manipulation.
Beber’s investigation involved reverse engineering Claude Code’s obfuscated JavaScript codebase using tools like WebCrack and combining this with Claude’s analytical capabilities to unpack the minified code. This process exposed the vulnerable regex patterns and path validation functions that enabled both attacks.
These vulnerabilities pose significant risks in enterprise environments where Claude Code might operate with elevated privileges. The path bypass could enable access to sensitive configuration files and credentials, while command injection could establish persistent access or install backdoors.
Successful exploitation requires introducing untrusted content into Claude Code’s context, which could occur through malicious documentation, compromised project files, or social engineering.
Anthropic’s Response
Anthropic responded swiftly to Beber’s responsible disclosure. CVE-2025-54794 was fixed in version 0.2.111 with robust canonical path comparison, while CVE-2025-54795 was resolved in version 1.0.20 with improved input sanitization and granular command validation.
| Vulnerability | CVE | Affected Versions | Fixed Version | Action | Description |
|---|---|---|---|---|---|
| Path Restriction Bypass | CVE-2025-54794 | < v0.2.111 | v0.2.111 | Update to ≥ v0.2.111 | Exploitable flaw in directory restriction enforcement |
| Command Injection | CVE-2025-54795 | < v1.0.20 | v1.0.20 | Update to ≥ v1.0.20 | Allowed arbitrary command execution via input sanitization bug |
These findings highlight critical challenges as AI systems become more autonomous. The recursive nature of AI-assisted vulnerability research represents a new cybersecurity paradigm where traditional security models may prove insufficient.
The research underscores the need to apply rigorous security practices to AI-powered development tools, treating them with the same caution as traditional software systems while developing new approaches for AI-specific threats.
CVE-2025-54794 and CVE-2025-54795 illuminate the emerging challenges of securing AI systems that can analyze and potentially compromise their own security measures.
As AI systems become more capable, the cybersecurity community must develop innovative approaches, rigorous testing methodologies, and continued collaboration between AI developers and security researchers to address these evolving threats effectively.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
Source link
