GHSA-7mv8-j34q-vp7q

Опубликовано: 20 нояб. 2025

Источник: github

Github: Прошло ревью

CVSS4: 8.7

Описание

@anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes

Due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system.

Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version.

Thank you to Adam Chester - SpecterOps for reporting this issue!

Ссылки

Пакеты

Наименование

@anthropic-ai/claude-code

npm

Затронутые версииВерсия исправления

< 2.0.31

2.0.31

EPSS

Процентиль: 26%

0.00091

Низкий

8.7 High

CVSS4

CVE ID

CVE-2025-64755

Дефекты

CWE-78

Связанные уязвимости

CVE-2025-64755

CVSS3: 9.8

nvd

3 месяца назад

Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. This issue has been patched in version 2.0.31.

EPSS

Процентиль: 26%

0.00091

Низкий

8.7 High

CVSS4

CVE ID

CVE-2025-64755

Дефекты

CWE-78