CVE-2025-54794
Claude Code Research Preview has a Path Restriction Bypass which could allow unauthorized file access
In short
Claude Code had a flaw that let attackers access files outside the intended working directory by creating a folder with a similar name. This could expose sensitive files if someone tricks the tool into reading from the wrong location.
Technical detail
Path validation used prefix matching instead of canonical path resolution, allowing directory traversal attacks. Exploitation requires creating a directory sharing a name prefix with the CWD and injecting untrusted input into the Claude Code context. The vulnerability was fixed in version 0.2.111.
Summary generated and translated by AI from the official description.
Claude Code is an agentic coding tool. In versions below 0.2.111, a path validation flaw using prefix matching instead of canonical path comparison, makes it possible to bypass directory restrictions and access files outside the CWD. Successful exploitation depends on the presence of (or ability to create) a directory with the same prefix as the CWD and the ability to add untrusted content into a Claude Code context window. This is fixed in version 0.2.111.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
anthropics · claude-codeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →