Two high-severity vulnerabilities in Anthropic’s Claude Code may enable attackers to flee restrictions and execute unauthorized instructions. Most remarkably, Claude itself unwittingly assisted in growing the exploits used towards its personal safety mechanisms.
The vulnerabilities uncovered by Elad Beber from Cymulate, CVE-2025-54794 and CVE-2025-54795, exhibit how AI methods’ analytical capabilities will be turned towards their very own safety controls by means of cautious immediate crafting.
Claude Code operates as Anthropic’s AI-powered coding assistant, designed to assist builders write and execute code by means of pure language. Its safety depends on two major defenses: Present Working Listing (CWD) restrictions that sandbox file operations, and command whitelisting that allows solely pre-approved operations like ls, cat, and echo.
Claude code
CVE-2025-54794: Path Restriction Bypass
The primary vulnerability exploits naive prefix-based path validation in Claude Code’s listing containment system. When validating file paths, the system merely checks if a requested path begins with the authorised listing prefix.
An attacker can bypass this by making a listing with an analogous prefix. For instance, if the working listing is /tmp/allowed_dir, creating /tmp/allowed_dir_malicious would move validation as a result of it begins with the authorised prefix. This grants unauthorized entry to recordsdata outdoors the supposed sandbox.
When mixed with symbolic hyperlinks, this vulnerability permits entry to essential system recordsdata, doubtlessly resulting in privilege escalation in environments the place Claude Code runs with elevated privileges.
CVE-2025-54795: Command Injection
The second vulnerability permits arbitrary command execution by means of improper enter sanitization of whitelisted instructions. Attackers can inject malicious instructions whereas masquerading as reliable operations.
The assault exploits the echo command utilizing a template like: echo “”; ; echo “”. This payload terminates the echo string, injects the attacker’s command, then resumes echo to keep up legitimacy. Because the assemble seems to originate from a whitelisted command, Claude Code executes it with out person affirmation.
Beber demonstrated this by making Claude execute open -a Calculator, launching purposes with out authorization.
Essentially the most putting side of Beber’s analysis was how Claude actively participated in growing exploits towards itself. By way of iterative refinement, Claude analyzed failed assault makes an attempt, recognized why they didn’t work, and advised enhancements to bypass its personal protections.
This recursive vulnerability improvement reveals a elementary AI safety problem: these methods will be directed towards figuring out and exploiting their very own weaknesses by means of social engineering and immediate manipulation.
Beber’s investigation concerned reverse engineering Claude Code’s obfuscated JavaScript codebase utilizing instruments like WebCrack and mixing this with Claude’s analytical capabilities to unpack the minified code. This course of uncovered the weak regex patterns and path validation capabilities that enabled each assaults.
These vulnerabilities pose important dangers in enterprise environments the place Claude Code may function with elevated privileges. The trail bypass may allow entry to delicate configuration recordsdata and credentials, whereas command injection may set up persistent entry or set up backdoors.
Profitable exploitation requires introducing untrusted content material into Claude Code’s context, which may happen by means of malicious documentation, compromised venture recordsdata, or social engineering.
Anthropic’s Response
Anthropic responded swiftly to Beber’s accountable disclosure. CVE-2025-54794 was mounted in model 0.2.111 with sturdy canonical path comparability, whereas CVE-2025-54795 was resolved in model 1.0.20 with improved enter sanitization and granular command validation.
VulnerabilityCVEAffected VersionsFixed VersionActionDescriptionPath Restriction BypassCVE-2025-54794v0.2.111Update to ≥ v0.2.111Exploitable flaw in listing restriction enforcementCommand InjectionCVE-2025-54795v1.0.20Update to ≥ v1.0.20Allowed arbitrary command execution through enter sanitization bug
These findings spotlight essential challenges as AI methods turn into extra autonomous. The recursive nature of AI-assisted vulnerability analysis represents a brand new cybersecurity paradigm the place conventional safety fashions could show inadequate.
The analysis underscores the necessity to apply rigorous safety practices to AI-powered improvement instruments, treating them with the identical warning as conventional software program methods whereas growing new approaches for AI-specific threats.
CVE-2025-54794 and CVE-2025-54795 illuminate the rising challenges of securing AI methods that may analyze and doubtlessly compromise their very own safety measures.
As AI methods turn into extra succesful, the cybersecurity group should develop modern approaches, rigorous testing methodologies, and continued collaboration between AI builders and safety researchers to handle these evolving threats successfully.
Combine ANY.RUN TI Lookup together with your SIEM or SOAR To Analyses Superior Threats -> Strive 50 Free Trial Searches
