CVE-2025-54795
Published: 05 August 2025
Summary
CVE-2025-54795 is a high-severity OS Command Injection (CWE-78) vulnerability in Anthropic Claude Code. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-54795 is a high-severity vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting Claude Code, an agentic coding tool from Anthropic. Published on 2025-08-05, it arises from an error in command parsing in versions below 1.0.20, enabling attackers to bypass the tool's confirmation prompt and trigger execution of untrusted commands. The issue is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command).
Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no privileges or user interaction. Reliable exploitation depends on the ability to insert untrusted content into a Claude Code context window, potentially leading to arbitrary command execution with high impacts on confidentiality, integrity, and availability.
The vulnerability is addressed in Claude Code version 1.0.20. Additional details on mitigation and patches are available in the GitHub security advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-x56v-x2h6-7j34.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23573
Vulnerability details
Claude Code is an agentic coding tool. In versions below 1.0.20, an error in command parsing makes it possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to…
more
add untrusted content into a Claude Code context window. This is fixed in version 1.0.20.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection (CWE-78) with remote unauthenticated trigger directly enables arbitrary command execution via T1059 and exploitation of a network-accessible application via T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates validation of all inputs to the command parsing mechanism, directly countering the improper neutralization of special elements (CWE-78) that allows untrusted command injection in Claude Code.
SI-2 requires timely flaw remediation, such as patching Claude Code to version 1.0.20, which specifically fixes the command parsing bypass vulnerability.
AC-6 enforces least privilege on processes that execute parsed commands, limiting the scope and impact of any untrusted commands injected via the bypassed confirmation prompt.