GHSA-66q4-vfjg-2qhh

Suggest an improvement
Source
https://github.com/advisories/GHSA-66q4-vfjg-2qhh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-66q4-vfjg-2qhh/GHSA-66q4-vfjg-2qhh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-66q4-vfjg-2qhh
Aliases
  • CVE-2026-25722
Published
2026-02-06T19:02:41Z
Modified
2026-02-06T19:56:44.198671Z
Severity
  • 7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection
Details

Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to bypass write protection and create or modify files without user confirmation. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window.

Users on standard Claude Code auto-update received this fix automatically. Users performing manual updates are advised to update to the latest version.

About Claude Code thanks hackerone.com/nil221 for reporting this issue!

Database specific 
{
    "nvd_published_at": "2026-02-06T18:15:59Z",
    "github_reviewed_at": "2026-02-06T19:02:41Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-20",
        "CWE-78"
    ],
    "github_reviewed": true
}
References

Affected packages

npm / @anthropic-ai/claude-code

Package

Name
@anthropic-ai/claude-code
View open source insights on deps.dev
Purl
pkg:npm/%40anthropic-ai/claude-code

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.57

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-66q4-vfjg-2qhh/GHSA-66q4-vfjg-2qhh.json"