CVE-2025-58764
Published: 10 September 2025
Summary
CVE-2025-58764 is a critical-severity Code Injection (CWE-94) vulnerability in Anthropic Claude Code. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of flaws like the command parsing error in Claude Code versions prior to 1.0.105.
Enforces validation of untrusted inputs to the Claude Code context window to block malicious command injection.
Limits privileges of processes executing commands in Claude Code to minimize impact of bypassed confirmation prompts and untrusted command execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via command injection in network-reachable agentic tool enables public app exploitation (T1190) and arbitrary command execution (T1059).
NVD Description
Claude Code is an agentic coding tool. Due to an error in command parsing, versions prior to 1.0.105 were vulnerable to a bypass of the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires…
more
the ability to add untrusted content into a Claude Code context window. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to version 1.0.105 or the latest version.
Deeper analysisAI
CVE-2025-58764 is a critical code injection vulnerability (CWE-94) in Claude Code, an agentic coding tool developed by Anthropic. The issue stems from an error in command parsing that allows attackers to bypass the tool's confirmation prompt, enabling the execution of untrusted commands. This affects all versions of Claude Code prior to 1.0.105, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and lack of required privileges or user interaction.
Exploitation requires an attacker to insert untrusted content into the Claude Code context window, after which the parsing flaw reliably triggers arbitrary command execution on the host system. Any unauthenticated remote attacker capable of influencing the context—such as through malicious inputs in collaborative coding sessions, shared projects, or integrated workflows—can achieve full compromise, including unauthorized access to sensitive data, modification of files, or system disruption.
The official advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-qxfv-fcpc-w36x confirms that users on standard auto-update channels have received the fix automatically. Those using manual updates must upgrade to version 1.0.105 or later to mitigate the vulnerability, as no additional workarounds are provided.
Details
- CWE(s)