Anthropic Claude Code vulnerabilities
29 known vulnerabilities affecting anthropic/claude_code.
Total CVEs
29
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL13HIGH12MEDIUM4
Vulnerabilities
Page 1 of 2
CVE-2025-59536P2HIGHCVSS 8.8fixed in 1.0.1112025-10-03
CVE-2025-59536 [HIGH] CWE-94 CVE-2025-59536: Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due
Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory. U
nvd
CVE-2026-21852P2HIGHCVSS 7.5fixed in 2.0.652026-01-21
CVE-2026-21852 [HIGH] CWE-522 CVE-2026-21852: Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's proje
Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and
nvd
CVE-2026-39861P2CRITICALCVSS 10.0fixed in 2.1.642026-04-21
CVE-2026-39861 [CRITICAL] CWE-22 CVE-2026-39861: Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not preven
Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outside the w
nvd
CVE-2025-66032P2CRITICALCVSS 9.8fixed in 1.0.932025-12-03
CVE-2025-66032 [CRITICAL] CWE-77 CVE-2025-66032: Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands rela
Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This vulne
nvd
CVE-2026-25725P2CRITICALCVSS 10.0fixed in 2.1.22026-02-06
CVE-2026-25725 [CRITICAL] CWE-501 CVE-2026-25725: Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing m
Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints
nvd
CVE-2025-54795P2CRITICALCVSS 9.8fixed in 1.0.202025-08-05
CVE-2025-54795 [CRITICAL] CWE-78 CVE-2025-54795: Claude Code is an agentic coding tool. In versions below 1.0.20, an error in command parsing makes i
Claude Code is an agentic coding tool. In versions below 1.0.20, an error in command parsing makes it possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This is fixed in version 1.0.20.
nvd
CVE-2025-59041P2CRITICALCVSS 9.8fixed in 1.0.1052025-09-10
CVE-2025-59041 [CRITICAL] CWE-94 CVE-2025-59041: Claude Code is an agentic coding tool. At startup, Claude Code executed a command templated in with
Claude Code is an agentic coding tool. At startup, Claude Code executed a command templated in with `git config user.email`. Prior to version 1.0.105, a maliciously configured user email in git could be used to trigger arbitrary code execution before a user accepted the workspace trust dialog. Users on standard Claude Code auto-update will have rece
nvd
CVE-2026-54316P2CRITICALCVSS 9.1≥ 0.2.54, < 2.1.1632026-06-23
CVE-2026-54316 [CRITICAL] CWE-183 CVE-2026-54316: Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.
Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to i
nvd
CVE-2025-58764P2CRITICALCVSS 9.8fixed in 1.0.1052025-09-10
CVE-2025-58764 [CRITICAL] CWE-94 CVE-2025-58764: Claude Code is an agentic coding tool. Due to an error in command parsing, versions prior to 1.0.105
Claude Code is an agentic coding tool. Due to an error in command parsing, versions prior to 1.0.105 were vulnerable to a bypass of the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. Users on standard Claude Code
nvd
CVE-2025-64755P2CRITICALCVSS 9.8fixed in 2.0.312025-11-21
CVE-2025-64755 [CRITICAL] CWE-78 CVE-2025-64755: Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsi
Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. This issue has been patched in version 2.0.31.
nvd
CVE-2026-24887P2HIGHCVSS 8.8fixed in 2.0.722026-02-03
CVE-2026-24887 [HIGH] CWE-78 CVE-2026-24887: Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing,
Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has bee
nvd
CVE-2025-65099P3CRITICALCVSS 9.8fixed in 1.0.392025-11-19
CVE-2025-65099 [CRITICAL] CWE-94 CVE-2025-65099: Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn
Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would have required a user to start Claude Code in an untrusted directory and
nvd
CVE-2025-59828P3CRITICALCVSS 9.8fixed in 1.0.392025-09-24
CVE-2025-59828 [CRITICAL] CWE-829 CVE-2025-59828: Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code w
Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins would be executed prior to the user accepting the risks of working in an untrust
nvd
CVE-2025-54794P3CRITICALCVSS 9.1fixed in 0.2.1112025-08-05
CVE-2025-54794 [CRITICAL] CWE-22 CVE-2025-54794: Claude Code is an agentic coding tool. In versions below 0.2.111, a path validation flaw using prefi
Claude Code is an agentic coding tool. In versions below 0.2.111, a path validation flaw using prefix matching instead of canonical path comparison, makes it possible to bypass directory restrictions and access files outside the CWD. Successful exploitation depends on the presence of (or ability to create) a directory with the same prefix as the CW
nvd
CVE-2026-35022P2CRITICALCVSS 9.3≤ 2.1.912026-04-06
CVE-2026-35022 [CRITICAL] CWE-78 CVE-2026-35022: Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in auth
Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell metacharacters through parameters like apiKeyHelper, awsAuthRef
cvelistv5nvd
CVE-2026-25722P3CRITICALCVSS 9.1fixed in 2.0.572026-02-06
CVE-2026-25722 [CRITICAL] CWE-20 CVE-2026-25722: Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly valid
Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to bypass write protection and create or modify files without user confirmati
nvd
CVE-2026-55607P3HIGHCVSS 8.8≥ 2.1.38, < 2.1.1632026-06-29
CVE-2026-55607 [HIGH] CWE-22 CVE-2026-55607: Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling a
Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor execution during worktree operations, an attacker could overwr
nvd
CVE-2026-33068P3HIGHCVSS 8.8fixed in 2.1.532026-03-20
CVE-2026-33068 [HIGH] CWE-807 CVE-2026-33068: Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from se
Claude Code is an agentic coding tool. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repo-controlled .claude/settings.json, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set permissions.defaultMode to bypassPermissions in its committed .claude/sett
nvd
CVE-2026-40068P3HIGHCVSS 8.8≥ 2.1.63, < 2.1.842026-05-05
CVE-2026-40068 [HIGH] CWE-20 CVE-2026-40068: In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git
In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Code to bypass its trust confirmation dialog and immediately
nvd
CVE-2026-25724P3HIGHCVSS 7.5fixed in 2.1.72026-02-06
CVE-2026-25724 [HIGH] CWE-61 CVE-2026-25724: Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforc
Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for
nvd
1 / 2Next →