Cyber Resilience

CVE-2025-54795

HighRCE

Published: 05 August 2025

Published
05 August 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0054 68.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54795 is a high-severity OS Command Injection (CWE-78) vulnerability in Anthropic Claude Code. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-54795 is a high-severity vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting Claude Code, an agentic coding tool from Anthropic. Published on 2025-08-05, it arises from an error in command parsing in versions below 1.0.20, enabling attackers to bypass the tool's confirmation prompt and trigger execution of untrusted commands. The issue is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. Reliable exploitation depends on the ability to insert untrusted content into a Claude Code context window, potentially leading to arbitrary command execution with high impacts on confidentiality, integrity, and availability.

The vulnerability is addressed in Claude Code version 1.0.20. Additional details on mitigation and patches are available in the GitHub security advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-x56v-x2h6-7j34.

EU & UK References

Vulnerability details

Claude Code is an agentic coding tool. In versions below 1.0.20, an error in command parsing makes it possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to…

more

add untrusted content into a Claude Code context window. This is fixed in version 1.0.20.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: claude

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

OS command injection (CWE-78) with remote unauthenticated trigger directly enables arbitrary command execution via T1059 and exploitation of a network-accessible application via T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-64755Same product: Anthropic Claude Code
CVE-2025-58764Same product: Anthropic Claude Code
CVE-2026-25722Same product: Anthropic Claude Code
CVE-2026-24887Same product: Anthropic Claude Code
CVE-2025-59041Same product: Anthropic Claude Code
CVE-2025-54794Same product: Anthropic Claude Code
CVE-2025-65099Same product: Anthropic Claude Code
CVE-2026-40068Same product: Anthropic Claude Code
CVE-2026-25724Same product: Anthropic Claude Code
CVE-2026-33068Same product: Anthropic Claude Code

Affected Assets

anthropic
claude code
≤ 1.0.20

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates validation of all inputs to the command parsing mechanism, directly countering the improper neutralization of special elements (CWE-78) that allows untrusted command injection in Claude Code.

prevent

SI-2 requires timely flaw remediation, such as patching Claude Code to version 1.0.20, which specifically fixes the command parsing bypass vulnerability.

prevent

AC-6 enforces least privilege on processes that execute parsed commands, limiting the scope and impact of any untrusted commands injected via the bypassed confirmation prompt.

References