Cyber Resilience

CVE-2025-58764

HighRCE

Published: 10 September 2025

Published
10 September 2025
Modified
24 October 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0068 72.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58764 is a high-severity Code Injection (CWE-94) vulnerability in Anthropic Claude Code. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-58764 is a critical code injection vulnerability (CWE-94) in Claude Code, an agentic coding tool developed by Anthropic. The issue stems from an error in command parsing that allows attackers to bypass the tool's confirmation prompt, enabling the execution of untrusted commands. This affects all versions of Claude Code prior to 1.0.105, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and lack of required privileges or user interaction.

Exploitation requires an attacker to insert untrusted content into the Claude Code context window, after which the parsing flaw reliably triggers arbitrary command execution on the host system. Any unauthenticated remote attacker capable of influencing the context—such as through malicious inputs in collaborative coding sessions, shared projects, or integrated workflows—can achieve full compromise, including unauthorized access to sensitive data, modification of files, or system disruption.

The official advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-qxfv-fcpc-w36x confirms that users on standard auto-update channels have received the fix automatically. Those using manual updates must upgrade to version 1.0.105 or later to mitigate the vulnerability, as no additional workarounds are provided.

EU & UK References

Vulnerability details

Claude Code is an agentic coding tool. Due to an error in command parsing, versions prior to 1.0.105 were vulnerable to a bypass of the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires…

more

the ability to add untrusted content into a Claude Code context window. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to version 1.0.105 or the latest version.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: claude

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Direct RCE via command injection in network-reachable agentic tool enables public app exploitation (T1190) and arbitrary command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-59041Same product: Anthropic Claude Code
CVE-2025-54795Same product: Anthropic Claude Code
CVE-2025-65099Same product: Anthropic Claude Code
CVE-2025-64755Same product: Anthropic Claude Code
CVE-2026-24887Same product: Anthropic Claude Code
CVE-2025-54794Same product: Anthropic Claude Code
CVE-2026-25722Same product: Anthropic Claude Code
CVE-2026-40068Same product: Anthropic Claude Code
CVE-2026-25724Same product: Anthropic Claude Code
CVE-2026-33068Same product: Anthropic Claude Code

Affected Assets

anthropic
claude code
≤ 1.0.105

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of flaws like the command parsing error in Claude Code versions prior to 1.0.105.

prevent

Enforces validation of untrusted inputs to the Claude Code context window to block malicious command injection.

prevent

Limits privileges of processes executing commands in Claude Code to minimize impact of bypassed confirmation prompts and untrusted command execution.

References