Login Sign Up

CVE-2025-54794

9.1 CRITICAL
Path Traversal

📋 TL;DR

CVE-2025-54794 is a path traversal vulnerability in Claude Code versions below 0.2.111 that allows attackers to bypass directory restrictions and access files outside the current working directory. This affects users who run untrusted code through Claude Code or allow untrusted content in its context window. The vulnerability stems from improper path validation using prefix matching instead of canonical path comparison.

💻 Affected Systems

Products:
  • Claude Code
Versions: All versions below 0.2.111
Operating Systems: All platforms where Claude Code runs
Default Config Vulnerable: ⚠️ Yes
Notes: Exploitation requires ability to add untrusted content to Claude Code context window and presence of directory with same prefix as CWD.

📦 What is this software?

Claude Code by Anthropic

View all CVEs affecting Claude Code →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary file read/write, potentially leading to credential theft, data exfiltration, or remote code execution.

🟠

Likely Case

Unauthorized access to sensitive files in directories adjacent to the CWD, potentially exposing configuration files, credentials, or source code.

🟢

If Mitigated

Limited file access within the same directory tree if proper input validation and sandboxing are implemented.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires specific directory structure and ability to inject untrusted content into Claude Code context.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.111

Vendor Advisory: https://github.com/anthropics/claude-code/security/advisories/GHSA-pmw4-pwvc-3hx2

Restart Required: Yes

Instructions:

1. Stop Claude Code service. 2. Update to version 0.2.111 or later using package manager or direct download. 3. Restart Claude Code service.

🔧 Temporary Workarounds

Restrict directory permissions

linux

Set strict permissions on directories outside CWD to prevent unauthorized access

chmod 700 /path/to/sensitive/directories

Sandbox execution

all

Run Claude Code in container or VM with restricted filesystem access

docker run --read-only -v /safe/path:/app anthropic/claude-code

🧯 If You Can't Patch

  • Disable Claude Code or restrict to trusted users only
  • Implement strict input validation and sanitization for all content entering Claude Code context

🔍 How to Verify

Check if Vulnerable:

Check Claude Code version and compare against vulnerable range

Check Version:

claude-code --version

Verify Fix Applied:

Verify version is 0.2.111 or higher and test path traversal attempts

📡 Detection & Monitoring

Log Indicators:

  • Unusual file access patterns
  • Path traversal attempts in logs
  • Access to files outside expected directories

Network Indicators:

  • Unexpected outbound file transfers if data exfiltration occurs

SIEM Query:

source="claude-code" AND (event="file_access" AND path NOT STARTSWITH "/expected/path/")

📊 Metadata

CVE ID: CVE-2025-54794
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-22
EPSS Score: 0.04% exploit probability (11.8th percentile)
Published: August 5, 2025
Last Updated: October 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54794, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)