Due to a path validation flaw using prefix matching instead of canonical path comparison, it was possible to bypass directory restrictions and access files outside the CWD. Successful exploitation depends on the presence of (or ability to create) a directory with the same prefix as the CWD and the ability to add untrusted content into a Claude Code context window.

Users on standard Claude Code auto-update received this fix automatically after release. Current users of Claude Code are unaffected, as versions prior to 1.0.24 are deprecated and have been forced to update.

Thank you to Elad Beber (Cymulate) for reporting this issue!

Affected Packages

npm @anthropic-ai/claude-code

Affected versions: 0 (fixed in 0.2.111)

Related CVEs

CVE-2025-54794

Key Information

GHSA ID

GHSA-pmw4-pwvc-3hx2

Published

August 4, 2025 3:15 PM

Last Modified

August 5, 2025 5:10 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

@anthropic-ai/claude-code

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.