CVE-2025-54795
published 2025-08-05CVE-2025-54795: Claude Code is an agentic coding tool. In versions below 1.0.20, an error in command parsing makes it possible to bypass the Claude Code confirmation prompt to…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.94%
56.6th percentile
Claude Code is an agentic coding tool. In versions below 1.0.20, an error in command parsing makes it possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This is fixed in version 1.0.20.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anthropic-ai | claude-code | >= 0 < 1.0.20 | 1.0.20 |
| anthropic | claude_code | < 1.0.20 | 1.0.20 |
| anthropics | claude-code | < 1.0.20 | 1.0.20 |
Detection & IOCsextracted from sources · hover to see the quote
- →Argument injection via pre-approved commands (e.g., `go test -exec`, `git show --format/--output`, `rg --pre`) can bypass human-in-the-loop approval in Claude Code and similar agents; monitor for unusual flag combinations on allowlisted commands ↗
- →Monitor `go test` invocations for use of the `-exec` flag, which can redirect test binary execution to an arbitrary program (e.g., bash, curl), achieving RCE without triggering approval prompts ↗
- →Prompt injection payloads embedded in code comments, agentic rule files, GitHub repositories, and logging output can trigger argument injection attacks; treat all external content ingested into agent context as untrusted ↗
- →CVE-2025-54795 affects Claude Code versions below 1.0.20; detect vulnerable deployments by checking the installed version and alerting on any version < 1.0.20 ↗
- ·Exploitation requires the attacker to be able to inject untrusted content into the Claude Code context window (e.g., via prompt injection in files, repos, comments, or logs); direct shell operator injection (`;`, `&&`, backticks, `$()`) is blocked by command execution libraries in most affected systems ↗
- ·The fix is available in Claude Code version 1.0.20; versions below this are vulnerable ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Claude Code echo command allowed bypass of user approval prompt for command execution
ghsa·2025-08-04
CVE-2025-54795 [HIGH] CWE-78 Claude Code echo command allowed bypass of user approval prompt for command execution
Claude Code echo command allowed bypass of user approval prompt for command execution
Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window.
Users on standard Claude Code auto-update received this fix automatically after release. Current users of Claude Code are unaffected, as versions prior to 1.0.24 are deprecated and have been forced to update.
Thank you to Elad Beber (Cymulate) for reporting this issue!
OSV
Claude Code echo command allowed bypass of user approval prompt for command execution
osv·2025-08-04
CVE-2025-54795 [HIGH] Claude Code echo command allowed bypass of user approval prompt for command execution
Claude Code echo command allowed bypass of user approval prompt for command execution
Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window.
Users on standard Claude Code auto-update received this fix automatically after release. Current users of Claude Code are unaffected, as versions prior to 1.0.24 are deprecated and have been forced to update.
Thank you to Elad Beber (Cymulate) for reporting this issue!
No detection rules found.
No public exploits indexed.
Trailofbits
Prompt injection to RCE in AI agents
blogs_trailofbits·2025-10-22
Prompt injection to RCE in AI agents
Modern AI agents increasingly execute system commands to automate filesystem operations, code analysis, and development workflows. While some of these commands are allowed to execute automatically for efficiency, others require human approval, which may seem like robust protection against attacks like command injection. However, we’ve commonly experienced a pattern of bypassing the human approval protection through argument injection attacks that exploit pre-approved commands, allowing us to achieve remote code execution (RCE).
This blog post focuses on the design antipatterns that create these vulnerabilities, with concrete examples demonstrating successful RCE across three different agent platforms. Although we cannot name the products in this post due to ongoing coordinated disclosure,
Trailofbits
Prompt injection to RCE in AI agents
blogs_trailofbits·2025-10-22
Prompt injection to RCE in AI agents
Modern AI agents increasingly execute system commands to automate filesystem operations, code analysis, and development workflows. While some of these commands are allowed to execute automatically for efficiency, others require human approval, which may seem like robust protection against attacks like command injection. However, we’ve commonly experienced a pattern of bypassing the human approval protection through argument injection attacks that exploit pre-approved commands, allowing us to achieve remote code execution (RCE).
This blog post focuses on the design antipatterns that create these vulnerabilities, with concrete examples demonstrating successful RCE across three different agent platforms. Although we cannot name the products in this post due to ongoing coordinated disclosure,
2025-08-05
Published