N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-54794

GHSA ID

GHSA-pmw4-pwvc-3hx2

EPSS Score

CWE

CWE-22

Published

8/4/2025

Updated

8/4/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54794

CVE-2025-54794: Claude Code Research Preview has a Path Restriction Bypass which could allow unauthorized file access

Due to a path validation flaw using prefix matching instead of canonical path comparison, it was possible to bypass directory restrictions and access files outside the CWD. Successful exploitation depends on the presence of (or ability to create) a directory with the same prefix as the CWD and the ability to add untrusted content into a Claude Code context window.

Users on standard Claude Code auto-update received this fix automatically after release. Current users of Claude Code are unaffected, as versions prior to 1.0.24 are deprecated and have been forced to update.

Thank you to Elad Beber (Cymulate) for reporting this issue!

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-54794

GHSA ID

GHSA-pmw4-pwvc-3hx2

EPSS Score

CWE

CWE-22

Published

8/4/2025

Updated

8/4/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@anthropic-ai/claude-code	npm	< 0.2.111	0.2.111

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a path traversal issue in the @anthropic-ai/claude-code package, as described in GHSA-pmw4-pwvc-3hx2. The flaw lies in the use of prefix-based path validation instead of canonical path comparison, which can be bypassed to access files outside the current working directory. I was unable to identify the specific vulnerable functions because I could not locate the commit that patches this vulnerability. The security advisory does not provide a direct link to the commit, and my attempts to find it by inspecting repository tags were unsuccessful as the repository appears to have no tags. Without the diff from the fixing commit, I cannot determine which functions were modified and are therefore implicated in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*u* to * p*t* v*li**tion *l*w usin* pr**ix m*t**in* inst*** o* **noni**l p*t* *omp*rison, it w*s possi*l* to *yp*ss *ir**tory r*stri*tions *n* ****ss *il*s outsi** t** *W*. Su***ss*ul *xploit*tion **p*n*s on t** pr*s*n** o* (or **ility to *r**t*) * *

Reasoning

T** vuln*r**ility is * p*t* tr*v*rs*l issu* in t** `@*nt*ropi*-*i/*l*u**-*o**` p**k***, *s **s*ri*** in **S*-pmw*-pwv*-**x*. T** *l*w li*s in t** us* o* pr**ix-**s** p*t* v*li**tion inst*** o* **noni**l p*t* *omp*rison, w*i** **n ** *yp*ss** to ****s

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-54794: Claude Code Research Preview has a Path Restriction Bypass which could allow unauthorized file access

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI