cbcvebase.
CVE-2025-54795
published 2025-08-05

CVE-2025-54795: Claude Code is an agentic coding tool. In versions below 1.0.20, an error in command parsing makes it possible to bypass the Claude Code confirmation prompt to…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.94%
56.6th percentile
Claude Code is an agentic coding tool. In versions below 1.0.20, an error in command parsing makes it possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This is fixed in version 1.0.20.

Affected

3 ranges
VendorProductVersion rangeFixed in
anthropic-aiclaude-code>= 0 < 1.0.201.0.20
anthropicclaude_code< 1.0.201.0.20
anthropicsclaude-code< 1.0.201.0.20

Detection & IOCsextracted from sources · hover to see the quote

  • Argument injection via pre-approved commands (e.g., `go test -exec`, `git show --format/--output`, `rg --pre`) can bypass human-in-the-loop approval in Claude Code and similar agents; monitor for unusual flag combinations on allowlisted commands
  • Monitor `go test` invocations for use of the `-exec` flag, which can redirect test binary execution to an arbitrary program (e.g., bash, curl), achieving RCE without triggering approval prompts
  • Prompt injection payloads embedded in code comments, agentic rule files, GitHub repositories, and logging output can trigger argument injection attacks; treat all external content ingested into agent context as untrusted
  • CVE-2025-54795 affects Claude Code versions below 1.0.20; detect vulnerable deployments by checking the installed version and alerting on any version < 1.0.20
  • ·Exploitation requires the attacker to be able to inject untrusted content into the Claude Code context window (e.g., via prompt injection in files, repos, comments, or logs); direct shell operator injection (`;`, `&&`, backticks, `$()`) is blocked by command execution libraries in most affected systems
  • ·The fix is available in Claude Code version 1.0.20; versions below this are vulnerable

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.