Path traversal in Claude Code - CVE-2025-54794
Published: April 30, 2026
Vulnerability identifier: #VU128531
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2025-54794
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Claude Code
Claude Code
Software vendor:
Anthropic
Anthropic
Description
The vulnerability allows a remote attacker to access unauthorized files outside the current working directory.
The vulnerability exists due to path traversal in path validation logic when processing file paths using prefix matching instead of canonical path comparison. A remote attacker can add untrusted content into a Claude Code context window to access unauthorized files outside the current working directory.
Successful exploitation depends on the presence of, or the ability to create, a directory with the same prefix as the current working directory.
Remediation
Install security update from vendor's website.