CVE-2025-54795

EPSS 0.28%
Veröffentlicht 05.08.2025 00:07:29
Zuletzt bearbeitet 24.10.2025 14:05:20
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Claude Code is an agentic coding tool. In versions below 1.0.20, an error in command parsing makes it possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This is fixed in version 1.0.20.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Anthropic ≫ Claude Code SwPlatformnode.js Version < 1.0.20

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.28%	0.506

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://github.com/anthropics/claude-code/security/advisories/GHSA-x56v-x2h6-7j34

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-54795

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-54795

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-54795

EUVD