Main Vulnerability Database Vulnerabilities #VU128522

OS Command Injection in Claude Code - CVE-2025-64755

Published: April 30, 2026

Vulnerability identifier: #VU128522

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-64755

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Claude Code

Software vendor:
Anthropic

Description

The vulnerability allows a remote attacker to write to arbitrary files on the host system.

The vulnerability exists due to improper neutralization of special elements used in an os command in sed command parsing when processing sed commands. A remote attacker can bypass the read-only validation to write to arbitrary files on the host system.

User interaction is required.

Remediation

Install security update from vendor's website.

External links

https://github.com/anthropics/claude-code/security/advisories/GHSA-7mv8-j34q-vp7q

OS Command Injection in Claude Code - CVE-2025-64755

Description

Remediation

External links

Please verify you're human