CVE-2025-54795
Published: 05 August 2025
Summary
CVE-2025-54795 is a critical-severity OS Command Injection (CWE-78) vulnerability in Anthropic Claude Code. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates validation of all inputs to the command parsing mechanism, directly countering the improper neutralization of special elements (CWE-78) that allows untrusted command injection in Claude Code.
SI-2 requires timely flaw remediation, such as patching Claude Code to version 1.0.20, which specifically fixes the command parsing bypass vulnerability.
AC-6 enforces least privilege on processes that execute parsed commands, limiting the scope and impact of any untrusted commands injected via the bypassed confirmation prompt.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection (CWE-78) with remote unauthenticated trigger directly enables arbitrary command execution via T1059 and exploitation of a network-accessible application via T1190.
NVD Description
Claude Code is an agentic coding tool. In versions below 1.0.20, an error in command parsing makes it possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to…
more
add untrusted content into a Claude Code context window. This is fixed in version 1.0.20.
Deeper analysisAI
CVE-2025-54795 is a high-severity vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting Claude Code, an agentic coding tool from Anthropic. Published on 2025-08-05, it arises from an error in command parsing in versions below 1.0.20, enabling attackers to bypass the tool's confirmation prompt and trigger execution of untrusted commands. The issue is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command).
Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. Reliable exploitation depends on the ability to insert untrusted content into a Claude Code context window, potentially leading to arbitrary command execution with high impacts on confidentiality, integrity, and availability.
The vulnerability is addressed in Claude Code version 1.0.20. Additional details on mitigation and patches are available in the GitHub security advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-x56v-x2h6-7j34.
Details
- CWE(s)