Cyber Resilience

CVE-2026-25722

HighRCE

Published: 06 February 2026

Published
06 February 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 27.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25722 is a high-severity Improper Input Validation (CWE-20) vulnerability in Anthropic Claude Code. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25722 is a vulnerability in Claude Code, an agentic coding tool, affecting versions prior to 2.0.57. It arises from inadequate validation of directory changes when paired with write operations to protected folders, linked to CWE-20 (Improper Input Validation) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command). An attacker can use the 'cd' command to navigate into sensitive directories like .claude, bypassing write protections and enabling the creation or modification of files without user confirmation. The flaw carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

Exploitation requires the ability to inject untrusted content into a Claude Code context window, allowing network-accessible attackers with no privileges or user interaction to conduct the attack with low complexity. Successful exploitation enables high-impact integrity and availability violations, such as unauthorized file writes to protected areas, potentially compromising the tool's security boundaries.

The vulnerability has been patched in Claude Code version 2.0.57. Additional details on the issue and remediation are available in the security advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-66q4-vfjg-2qhh.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it…

more

was possible to bypass write protection and create or modify files without user confirmation. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.57.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: claude

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The vulnerability allows network-accessible attackers to inject OS commands (e.g., 'cd') into the Claude Code context window, exploiting the public-facing application (T1190) and enabling Unix shell command execution (T1059.004) to bypass protections and perform unauthorized file writes.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64755Same product: Anthropic Claude Code
CVE-2025-54795Same product: Anthropic Claude Code
CVE-2026-24887Same product: Anthropic Claude Code
CVE-2025-59041Same product: Anthropic Claude Code
CVE-2026-40068Same product: Anthropic Claude Code
CVE-2025-58764Same product: Anthropic Claude Code
CVE-2026-24052Same product: Anthropic Claude Code
CVE-2026-25724Same product: Anthropic Claude Code
CVE-2026-25725Same product: Anthropic Claude Code
CVE-2026-39861Same product: Anthropic Claude Code

Affected Assets

anthropic
claude code
≤ 2.0.57

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates information input validation at defined points, directly preventing improper validation of directory change commands like 'cd' that enable path traversal and unauthorized writes to protected folders.

prevent

AC-3 enforces approved access control policies for subjects and objects, blocking write operations to sensitive directories like .claude despite manipulated paths.

detect

SI-7 monitors for unauthorized changes to software and information, detecting file creations or modifications in protected areas resulting from the exploitation.

References