In the rapidly evolving landscape of artificial intelligence, security remains a paramount concern. Recent discoveries have unveiled critical vulnerabilities within Anthropic’s AI-powered coding assistant, Claude Code, that could allow attackers to execute unauthorized commands. Alarmingly, Claude itself has inadvertently facilitated the development of exploits targeting its own security mechanisms.
Unveiling the Vulnerabilities
Security researcher Elad Beber from Cymulate identified two high-severity vulnerabilities in Claude Code, designated as CVE-2025-54794 and CVE-2025-54795. These findings highlight how AI systems’ analytical capabilities can be manipulated to undermine their own security controls through carefully crafted prompts.
Understanding Claude Code’s Security Framework
Claude Code is designed to assist developers by enabling code writing and execution through natural language commands. Its security architecture relies on two primary defenses:
1. Current Working Directory (CWD) Restrictions: This mechanism confines file operations within a designated directory to prevent unauthorized access.
2. Command Whitelisting: Only pre-approved commands, such as `ls`, `cat`, and `echo`, are permitted for execution.
CVE-2025-54794: Path Restriction Bypass
The first vulnerability exploits a flaw in Claude Code’s directory containment system, which uses naive prefix-based path validation. The system checks if a requested path begins with the approved directory prefix. An attacker can bypass this by creating a directory with a similar prefix. For example, if the working directory is `/tmp/allowed_dir`, creating `/tmp/allowed_dir_malicious` would pass validation because it starts with the approved prefix. This grants unauthorized access to files outside the intended sandbox.
When combined with symbolic links, this vulnerability enables access to critical system files, potentially leading to privilege escalation in environments where Claude Code runs with elevated privileges.
CVE-2025-54795: Command Injection
The second vulnerability allows arbitrary command execution through improper input sanitization of whitelisted commands. Attackers can inject malicious commands while masquerading as legitimate operations.
The attack exploits the `echo` command using a template like: `echo \;
Beber demonstrated this by making Claude execute `open -a Calculator`, launching applications without authorization.
Claude’s Role in Its Own Exploitation
A particularly striking aspect of Beber’s research was how Claude actively participated in developing exploits against itself. Through iterative refinement, Claude analyzed failed attack attempts, identified why they didn’t work, and suggested improvements to bypass its own protections.
This recursive vulnerability development reveals a fundamental AI security challenge: these systems can be directed toward identifying and exploiting their own weaknesses through social engineering and prompt manipulation.
Technical Analysis and Reverse Engineering
Beber’s investigation involved reverse engineering Claude Code’s obfuscated JavaScript codebase using tools like WebCrack and combining this with Claude’s analytical capabilities to unpack the minified code. This process exposed the vulnerable regex patterns and path validation functions that enabled both attacks.
Implications for Enterprise Environments
These vulnerabilities pose significant risks in enterprise environments where Claude Code might operate with elevated privileges. The path bypass could enable access to sensitive configuration files and credentials, while command injection could establish persistent access or install backdoors.
Successful exploitation requires introducing untrusted content into Claude Code’s context, which could occur through malicious documentation, compromised project files, or social engineering.
Anthropic’s Response and Mitigation Measures
Anthropic responded swiftly to Beber’s responsible disclosure. CVE-2025-54794 was fixed in version 0.2.111 with robust canonical path comparison, while CVE-2025-54795 was resolved in version 1.0.20 with improved input sanitization and granular command validation.
Vulnerability Details:
– Path Restriction Bypass (CVE-2025-54794):
– Affected Versions: < v0.2.111 - Fixed Version: v0.2.111 - Action: Update to ≥ v0.2.111 - Description: Exploitable flaw in directory restriction enforcement - Command Injection (CVE-2025-54795): - Affected Versions: < v1.0.20 - Fixed Version: v1.0.20 - Action: Update to ≥ v1.0.20 - Description: Allowed arbitrary command execution via input sanitization bug Broader Implications for AI Security These findings highlight critical challenges as AI systems become more autonomous. The recursive nature of AI-assisted vulnerability research represents a new cybersecurity paradigm where traditional security models may prove insufficient. The research underscores the need to apply rigorous security practices to AI-powered development tools, treating them with the same caution as traditional software systems while developing new approaches for AI-specific threats. CVE-2025-54794 and CVE-2025-54795 illuminate the emerging challenges of securing AI systems that can analyze and potentially compromise their own security measures. As AI systems become more capable, the cybersecurity community must develop innovative approaches, rigorous testing methodologies, and continued collaboration between AI developers and security researchers to address these evolving threats effectively.
