CVE-2025-54794
Published: 05 August 2025
Summary
CVE-2025-54794 is a high-severity Path Traversal (CWE-22) vulnerability in Anthropic Claude Code. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 40.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-54794 is a path traversal vulnerability (CWE-22) in Claude Code, an agentic coding tool developed by Anthropic. Versions below 0.2.111 use prefix matching for path validation instead of canonical path comparison, allowing attackers to bypass directory restrictions and access files outside the current working directory (CWD). The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and was published on 2025-08-05.
Exploitation is possible by remote attackers requiring no privileges or user interaction. It depends on the presence of—or ability to create—a directory with the same prefix as the CWD, combined with the attacker's ability to insert untrusted content into a Claude Code context window. Successful attacks enable high confidentiality and integrity impacts, such as reading sensitive files or modifying data outside the restricted directory.
The vulnerability is addressed in Claude Code version 0.2.111. Additional details on the issue and remediation are available in the GitHub security advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-pmw4-pwvc-3hx2.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23572
Vulnerability details
Claude Code is an agentic coding tool. In versions below 0.2.111, a path validation flaw using prefix matching instead of canonical path comparison, makes it possible to bypass directory restrictions and access files outside the CWD. Successful exploitation depends on…
more
the presence of (or ability to create) a directory with the same prefix as the CWD and the ability to add untrusted content into a Claude Code context window. This is fixed in version 0.2.111.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal bypasses directory restrictions to enable direct unauthorized read/write access to files on the local filesystem outside the CWD.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the path validation flaw by requiring canonical path comparison and validation of untrusted file path inputs to block traversal outside the CWD.
Enforces strict access control policies for directory restrictions, preventing unauthorized file access via flawed prefix matching in path enforcement mechanisms.
Limits impact of successful path traversal by ensuring the Claude Code process operates with least privilege, restricting access to files outside the intended CWD.