CVE-2025-55284
📋 TL;DR
CVE-2025-55284 allows attackers to bypass Claude Code's confirmation prompts to read local files and exfiltrate their contents over the network without user consent. This occurs due to an overly permissive allowlist of 'safe' commands. Only users of Claude Code versions prior to 1.0.4 who can inject untrusted content into the context window are affected.
💻 Affected Systems
- Claude Code
📦 What is this software?
Claude Code by Anthropic
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of sensitive local files (including credentials, configuration files, private keys) followed by exfiltration to attacker-controlled servers.
Likely Case
Limited file read of accessible user documents followed by data exfiltration, potentially exposing PII or proprietary information.
If Mitigated
No impact if proper input validation prevents untrusted content injection into Claude Code context windows.
🎯 Exploit Status
Exploitation requires ability to add untrusted content into a Claude Code context window, which typically requires some level of access or social engineering.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.0.4
Vendor Advisory: https://github.com/anthropics/claude-code/security/advisories/GHSA-x5gv-jw7f-j6xj
Restart Required: Yes
Instructions:
1. Ensure Claude Code auto-update is enabled
2. Restart Claude Code to apply version 1.0.4 or later
3. Verify version is 1.0.4+ using Help > About or version command
🔧 Temporary Workarounds
Disable Claude Code or restrict usage
allTemporarily disable Claude Code or restrict its usage to trusted environments only
Implement strict input validation
allEnsure no untrusted content can be injected into Claude Code context windows
🧯 If You Can't Patch
- Restrict Claude Code to run in isolated environments with limited file system access
- Implement network egress filtering to block unauthorized data exfiltration
🔍 How to Verify
Check if Vulnerable:
Check Claude Code version - if version is less than 1.0.4, system is vulnerableCheck Version:
Check via Claude Code interface: Help > About or use platform-specific package manager commandsVerify Fix Applied:
Confirm Claude Code version is 1.0.4 or later📡 Detection & Monitoring
Log Indicators:
- Unusual file read operations by Claude Code process
- Multiple confirmation prompt bypass attempts
Network Indicators:
- Unexpected outbound network connections from Claude Code process to unknown destinations
- Large data transfers from Claude Code to external IPs
SIEM Query:
Process:claude-code AND (EventID:4663 OR DestinationPort:443,80) AND DataTransfer > 1MB