Cyber Posture

CVE-2026-25722

Critical

Published: 06 February 2026

Published
06 February 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0014 33.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it…

more

was possible to bypass write protection and create or modify files without user confirmation. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.57.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 mandates information input validation at defined points, directly preventing improper validation of directory change commands like 'cd' that enable path traversal and unauthorized writes to protected folders.

AC-3 Access Enforcement good match
prevent

AC-3 enforces approved access control policies for subjects and objects, blocking write operations to sensitive directories like .claude despite manipulated paths.

SI-7 Software, Firmware, and Information Integrity partial match
detect

SI-7 monitors for unauthorized changes to software and information, detecting file creations or modifications in protected areas resulting from the exploitation.

Security SummaryAI

CVE-2026-25722 is a vulnerability in Claude Code, an agentic coding tool, affecting versions prior to 2.0.57. It arises from inadequate validation of directory changes when paired with write operations to protected folders, linked to CWE-20 (Improper Input Validation) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command). An attacker can use the 'cd' command to navigate into sensitive directories like .claude, bypassing write protections and enabling the creation or modification of files without user confirmation. The flaw carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

Exploitation requires the ability to inject untrusted content into a Claude Code context window, allowing network-accessible attackers with no privileges or user interaction to conduct the attack with low complexity. Successful exploitation enables high-impact integrity and availability violations, such as unauthorized file writes to protected areas, potentially compromising the tool's security boundaries.

The vulnerability has been patched in Claude Code version 2.0.57. Additional details on the issue and remediation are available in the security advisory at https://github.com/anthropics/claude-code/security/advisories/GHSA-66q4-vfjg-2qhh.

Details

CWE(s)
CWE-20CWE-78

Affected Products

anthropic
claude code
≤ 2.0.57

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Matched keywords: claude, claude, claude, claude

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

The vulnerability allows network-accessible attackers to inject OS commands (e.g., 'cd') into the Claude Code context window, exploiting the public-facing application (T1190) and enabling Unix shell command execution (T1059.004) to bypass protections and perform unauthorized file writes.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References