CVE-2025-54794
Published: 05 August 2025
Summary
CVE-2025-54794 is a critical-severity Path Traversal (CWE-22) vulnerability in Anthropic Claude Code. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the path validation flaw by requiring canonical path comparison and validation of untrusted file path inputs to block traversal outside the CWD.
Enforces strict access control policies for directory restrictions, preventing unauthorized file access via flawed prefix matching in path enforcement mechanisms.
Limits impact of successful path traversal by ensuring the Claude Code process operates with least privilege, restricting access to files outside the intended CWD.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal bypasses directory restrictions to enable direct unauthorized read/write access to files on the local filesystem outside the CWD.
NVD Description
Claude Code is an agentic coding tool. In versions below 0.2.111, a path validation flaw using prefix matching instead of canonical path comparison, makes it possible to bypass directory restrictions and access files outside the CWD. Successful exploitation depends on…
more
the presence of (or ability to create) a directory with the same prefix as the CWD and the ability to add untrusted content into a Claude Code context window. This is fixed in version 0.2.111.
Deeper analysisAI
CVE-2025-54794 is a path traversal vulnerability (CWE-22) in Claude Code, an agentic coding tool developed by Anthropic. Versions below 0.2.111 use prefix matching for path validation instead of canonical path comparison, allowing attackers to bypass directory restrictions and access files outside the current working directory (CWD). The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and was published on 2025-08-05.
Exploitation is possible by remote attackers requiring no privileges or user interaction. It depends on the presence of—or ability to create—a directory with the same prefix as the CWD, combined with the attacker's ability to insert untrusted content into a Claude Code context window. Successful attacks enable high confidentiality and integrity impacts, such as reading sensitive files or modifying data outside the restricted directory.
The vulnerability is addressed in Claude Code version 0.2.111. Additional details on the issue and remediation are available in the GitHub security advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-pmw4-pwvc-3hx2.
Details
- CWE(s)