CVE-2026-25722
Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection
In short
Claude Code before version 2.0.57 allowed attackers to bypass file write protection by using directory change commands to access sensitive folders like .claude, then creating or modifying files without permission. This risk applies if untrusted content is added to the tool's context.
Technical detail
CWE-20 and CWE-78 vulnerability: improper input validation of directory navigation commands combined with insufficient access control on write operations. An attacker with ability to inject untrusted content into Claude Code's context window can use 'cd' commands to navigate into protected directories and write arbitrary files, bypassing intended protection mechanisms. Patched in version 2.0.57.
Summary generated and translated by AI from the official description.
Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to bypass write protection and create or modify files without user confirmation. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.57.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
anthropics · claude-codeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →