CVE-2025-54795

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-54795

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54795.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-54795

Aliases

GHSA-x56v-x2h6-7j34

Published

2025-08-05T00:07:29Z

Modified

2025-10-21T02:35:56Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Claude Code echo command allowed bypass of user approval prompt for command execution

Details

Claude Code is an agentic coding tool. In versions below 1.0.20, an error in command parsing makes it possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This is fixed in version 1.0.20.

References

https://github.com/anthropics/claude-code/security/advisories/GHSA-x56v-x2h6-7j34

Affected packages

Git /

Affected ranges

Database specific

unresolved_versions

[
    {
        "type": "",
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "1.0.20"
            }
        ]
    }
]