CVE-2025-58764
Published: 10 September 2025
Summary
CVE-2025-58764 is a high-severity Code Injection (CWE-94) vulnerability in Anthropic Claude Code. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-58764 is a critical code injection vulnerability (CWE-94) in Claude Code, an agentic coding tool developed by Anthropic. The issue stems from an error in command parsing that allows attackers to bypass the tool's confirmation prompt, enabling the execution of untrusted commands. This affects all versions of Claude Code prior to 1.0.105, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and lack of required privileges or user interaction.
Exploitation requires an attacker to insert untrusted content into the Claude Code context window, after which the parsing flaw reliably triggers arbitrary command execution on the host system. Any unauthenticated remote attacker capable of influencing the context—such as through malicious inputs in collaborative coding sessions, shared projects, or integrated workflows—can achieve full compromise, including unauthorized access to sensitive data, modification of files, or system disruption.
The official advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-qxfv-fcpc-w36x confirms that users on standard auto-update channels have received the fix automatically. Those using manual updates must upgrade to version 1.0.105 or later to mitigate the vulnerability, as no additional workarounds are provided.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27564
Vulnerability details
Claude Code is an agentic coding tool. Due to an error in command parsing, versions prior to 1.0.105 were vulnerable to a bypass of the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires…
more
the ability to add untrusted content into a Claude Code context window. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to version 1.0.105 or the latest version.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via command injection in network-reachable agentic tool enables public app exploitation (T1190) and arbitrary command execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and patching of flaws like the command parsing error in Claude Code versions prior to 1.0.105.
Enforces validation of untrusted inputs to the Claude Code context window to block malicious command injection.
Limits privileges of processes executing commands in Claude Code to minimize impact of bypassed confirmation prompts and untrusted command execution.