Cyber Resilience

CVE-2025-64755

HighRCE

Published: 21 November 2025

Published
21 November 2025
Modified
04 December 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0011 29.6th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64755 is a high-severity OS Command Injection (CWE-78) vulnerability in Anthropic Claude Code. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-64755 is a high-severity vulnerability in Claude Code, an agentic coding tool developed by Anthropic. In versions prior to 2.0.31, an error in sed command parsing allows bypassing the tool's read-only validation, enabling arbitrary file writes on the host system. The flaw is categorized as CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical risk due to its network accessibility and potential for complete host compromise.

The vulnerability can be exploited by any remote attacker without authentication, privileges, or user interaction, requiring only low attack complexity over the network. Successful exploitation grants the ability to write to arbitrary files on the host, which could lead to full system takeover, data exfiltration, persistence, or execution of malicious code, with high impacts on confidentiality, integrity, and availability.

Anthropic has patched the issue in Claude Code version 2.0.31. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub Security Advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-7mv8-j34q-vp7q.

EU & UK References

Vulnerability details

Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. This issue…

more

has been patched in version 2.0.31.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: claude

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables remote unauthenticated OS command injection in a network-accessible public-facing application (Claude Code), allowing arbitrary file writes and host compromise, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-54795Same product: Anthropic Claude Code
CVE-2026-25722Same product: Anthropic Claude Code
CVE-2025-58764Same product: Anthropic Claude Code
CVE-2026-24887Same product: Anthropic Claude Code
CVE-2025-59041Same product: Anthropic Claude Code
CVE-2025-54794Same product: Anthropic Claude Code
CVE-2025-65099Same product: Anthropic Claude Code
CVE-2026-25724Same product: Anthropic Claude Code
CVE-2026-33068Same product: Anthropic Claude Code
CVE-2026-21852Same product: Anthropic Claude Code

Affected Assets

anthropic
claude code
≤ 2.0.31

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely flaw remediation through patching to version 2.0.31, directly eliminating the sed command injection vulnerability.

prevent

Mandates validation and sanitization of inputs to OS commands like sed, preventing improper neutralization of special elements leading to command injection.

prevent

Enforces least privilege on the Claude Code process, limiting the scope and impact of arbitrary file writes even if injection succeeds.

References