CVE-2025-54794 Overview
Claude Code, an agentic coding tool developed by Anthropic, contains a path traversal vulnerability (CWE-22) in versions prior to 0.2.111. The vulnerability stems from a path validation flaw that uses prefix matching instead of canonical path comparison. This implementation error allows attackers to bypass directory restrictions and access files outside the current working directory (CWD).
Successful exploitation requires two conditions: the presence of (or ability to create) a directory with the same prefix as the CWD, and the ability to add untrusted content into a Claude Code context window. This combination could allow malicious actors to read or manipulate sensitive files beyond the intended scope of the tool.
Critical Impact
Attackers can bypass directory restrictions to access, read, or potentially modify files outside the intended working directory, potentially exposing sensitive source code, configuration files, or credentials.
Affected Products
- Anthropic Claude Code versions below 0.2.111
- Claude Code for Node.js (all platforms)
- Applications integrating Claude Code as a dependency
Discovery Timeline
- 2025-08-05 - CVE-2025-54794 published to NVD
- 2025-10-27 - Last updated in NVD database
Technical Details for CVE-2025-54794
Vulnerability Analysis
This vulnerability is classified as a Path Traversal (Directory Traversal) issue under CWE-22. The root cause lies in how Claude Code validates file paths to enforce directory boundaries. Rather than performing canonical path comparison—which would resolve symbolic links, relative paths, and normalize the path before comparison—the application relies on simple prefix matching.
Prefix matching compares the beginning of a requested path against the allowed directory path. This approach is fundamentally flawed because it fails to account for scenarios where directory names share common prefixes. For example, if the CWD is /home/user/project, an attacker could potentially access files in /home/user/project-secrets by exploiting the prefix match logic.
The vulnerability requires network access and some user interaction, as untrusted content must be injected into the Claude Code context window. This could occur through malicious repository content, compromised dependencies, or social engineering tactics that lead users to process attacker-controlled input.
Root Cause
The vulnerability originates from an insecure path validation implementation. The code uses string prefix matching to determine whether a requested file path falls within the allowed directory boundaries. This approach fails to properly handle edge cases where:
- Directory names share common prefixes (e.g., /project vs /project-backup)
- Path traversal sequences could be normalized differently across operating systems
- Symbolic links or junction points could redirect path resolution
Proper path validation requires resolving paths to their canonical form using filesystem-aware normalization before comparison, ensuring that all symbolic links are resolved and relative path components (. and ..) are eliminated.
Attack Vector
The attack vector is network-based, requiring the attacker to inject malicious content into the Claude Code context window. This could be achieved through several scenarios:
Malicious Repository Content: An attacker could create a repository with specially crafted file references that exploit the prefix matching flaw when processed by Claude Code.
Prompt Injection: By including malicious path references in content that Claude Code processes, an attacker could direct the tool to access files outside the intended directory.
Dependency Confusion: If Claude Code processes content from compromised or malicious dependencies, the path traversal could be triggered during automated code analysis.
The exploitation mechanism involves crafting file paths that satisfy the prefix match validation while actually pointing to locations outside the CWD. This is typically achieved by creating or referencing directories that share the CWD prefix but contain sensitive data in sibling or parent directory structures.
Detection Methods for CVE-2025-54794
Indicators of Compromise
- Unexpected file access attempts to paths outside the designated working directory
- Log entries showing file operations on directories with similar prefixes to legitimate project directories
- Unusual context window content containing crafted path references or directory traversal patterns
- Evidence of newly created directories that mirror legitimate project path prefixes
Detection Strategies
- Monitor Claude Code file access patterns for operations targeting unexpected directory locations
- Implement file integrity monitoring on sensitive directories adjacent to development workspaces
- Review audit logs for path normalization anomalies or symbolic link resolution events
- Deploy endpoint detection rules that alert on directory traversal patterns in AI coding tool contexts
Monitoring Recommendations
- Enable verbose logging for Claude Code file system operations during security assessments
- Implement runtime application self-protection (RASP) to detect path traversal attempts
- Configure SentinelOne Singularity to monitor for anomalous file access patterns from Node.js processes
- Establish baseline file access patterns and alert on deviations during Claude Code sessions
How to Mitigate CVE-2025-54794
Immediate Actions Required
- Upgrade Claude Code to version 0.2.111 or later immediately
- Review recent file access logs for any suspicious path traversal attempts
- Audit any directories that share prefixes with your development working directories
- Validate the integrity of files in directories adjacent to Claude Code workspaces
Patch Information
Anthropic has released version 0.2.111 of Claude Code which addresses this vulnerability by implementing proper canonical path comparison instead of prefix matching. Organizations using Claude Code should upgrade to this version immediately.
For detailed patch information and security guidance, refer to the GitHub Security Advisory GHSA-pmw4-pwvc-3hx2.
Workarounds
- Isolate Claude Code execution environments using containerization or sandboxing to limit file system access scope
- Implement strict file system permissions that prevent read access to sensitive directories from the user context running Claude Code
- Avoid processing untrusted content or repositories with Claude Code until the patch is applied
- Use network segmentation to limit the tool's access to sensitive file shares or mounted volumes
# Upgrade Claude Code to patched version
npm update @anthropic/claude-code@0.2.111
# Verify installed version
npm list @anthropic/claude-code
# For global installations
npm update -g @anthropic/claude-code@0.2.111
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
