SB2026043049 - Path traversal in Claude Code

Description

This security bulletin contains information about 1 security vulnerability.

1) Path traversal (CVE-ID: CVE-2025-54794)

The vulnerability allows a remote attacker to access unauthorized files outside the current working directory.

The vulnerability exists due to path traversal in path validation logic when processing file paths using prefix matching instead of canonical path comparison. A remote attacker can add untrusted content into a Claude Code context window to access unauthorized files outside the current working directory.

Successful exploitation depends on the presence of, or the ability to create, a directory with the same prefix as the current working directory.

Remediation

Install update from vendor's website.

References

• https://github.com/anthropics/claude-code/security/advisories/GHSA-pmw4-pwvc-3hx2
• https://github.com/advisories/GHSA-pmw4-pwvc-3hx2