CVE-2025-64755
Published: 21 November 2025
Summary
CVE-2025-64755 is a critical-severity OS Command Injection (CWE-78) vulnerability in Anthropic Claude Code. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely flaw remediation through patching to version 2.0.31, directly eliminating the sed command injection vulnerability.
Mandates validation and sanitization of inputs to OS commands like sed, preventing improper neutralization of special elements leading to command injection.
Enforces least privilege on the Claude Code process, limiting the scope and impact of arbitrary file writes even if injection succeeds.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote unauthenticated OS command injection in a network-accessible public-facing application (Claude Code), allowing arbitrary file writes and host compromise, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. This issue…
more
has been patched in version 2.0.31.
Deeper analysisAI
CVE-2025-64755 is a high-severity vulnerability in Claude Code, an agentic coding tool developed by Anthropic. In versions prior to 2.0.31, an error in sed command parsing allows bypassing the tool's read-only validation, enabling arbitrary file writes on the host system. The flaw is categorized as CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical risk due to its network accessibility and potential for complete host compromise.
The vulnerability can be exploited by any remote attacker without authentication, privileges, or user interaction, requiring only low attack complexity over the network. Successful exploitation grants the ability to write to arbitrary files on the host, which could lead to full system takeover, data exfiltration, persistence, or execution of malicious code, with high impacts on confidentiality, integrity, and availability.
Anthropic has patched the issue in Claude Code version 2.0.31. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub Security Advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-7mv8-j34q-vp7q.
Details
- CWE(s)