Path traversal in Claude Code - CVE-2025-54794
Published: April 30, 2026
Vulnerability identifier: #VU128531
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2025-54794
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Anthropic
Affected software:
Claude Code
Claude Code
Detailed vulnerability description
The vulnerability allows a remote attacker to access unauthorized files outside the current working directory.
The vulnerability exists due to path traversal in path validation logic when processing file paths using prefix matching instead of canonical path comparison. A remote attacker can add untrusted content into a Claude Code context window to access unauthorized files outside the current working directory.
Successful exploitation depends on the presence of, or the ability to create, a directory with the same prefix as the current working directory.
How to mitigate CVE-2025-54794
Install security update from vendor's website.