CVE-2025-64755
Published: 21 November 2025
Summary
CVE-2025-64755 is a high-severity OS Command Injection (CWE-78) vulnerability in Anthropic Claude Code. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-64755 is a high-severity vulnerability in Claude Code, an agentic coding tool developed by Anthropic. In versions prior to 2.0.31, an error in sed command parsing allows bypassing the tool's read-only validation, enabling arbitrary file writes on the host system. The flaw is categorized as CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical risk due to its network accessibility and potential for complete host compromise.
The vulnerability can be exploited by any remote attacker without authentication, privileges, or user interaction, requiring only low attack complexity over the network. Successful exploitation grants the ability to write to arbitrary files on the host, which could lead to full system takeover, data exfiltration, persistence, or execution of malicious code, with high impacts on confidentiality, integrity, and availability.
Anthropic has patched the issue in Claude Code version 2.0.31. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub Security Advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-7mv8-j34q-vp7q.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-198355
Vulnerability details
Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. This issue…
more
has been patched in version 2.0.31.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote unauthenticated OS command injection in a network-accessible public-facing application (Claude Code), allowing arbitrary file writes and host compromise, directly mapping to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely flaw remediation through patching to version 2.0.31, directly eliminating the sed command injection vulnerability.
Mandates validation and sanitization of inputs to OS commands like sed, preventing improper neutralization of special elements leading to command injection.
Enforces least privilege on the Claude Code process, limiting the scope and impact of arbitrary file writes even if injection succeeds.