CVE-2025-66032

Published Dec 3, 2025

Last updated 3 months ago

CVSS high 8.7
Claude Code

Overview

Description
Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 1.0.93.
Source
security-advisories@github.com
NVD status
Analyzed
Products
claude_code

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.7
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-77

Social media

Hype score
Not currently trending

  1. セキュリティリサーチャー RyotaK @ryotkak の技術ブログを公開しました。 今回、任意コマンドの実行に繋げられるClaude Codeの安全機構のバイパス手法を8つ発見し・報告しました。 脆弱性(CVE-2025-66032)が修正され

    @flatt_security

    12 Jan 2026

    13913 Impressions

    17 Retweets

    66 Likes

    36 Bookmarks

    0 Replies

    6 Quotes

  2. We've published a new blog post by RyotaK @ryotkak He discovered 8 methods to bypass safety mechanisms in Claude Code, leading to arbitrary command execution. We recommend updating to v1.0.93 or later to fix this vulnerability (CVE-2025-66032). https://t.co/sNu7Z9QoXk

    @flatt_sec_en

    12 Jan 2026

    40879 Impressions

    64 Retweets

    176 Likes

    140 Bookmarks

    1 Reply

    4 Quotes

  3. SECURITY ALERT: CVE-2025-66032 Exploit Fix & Mitigation Guide Read more: https://t.co/73jszGHeoN #Cybersecurity #CVE https://t.co/P9eSMMwGJP

    @SecReportCVE

    31 Dec 2025

    52 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-66032 Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Cla… https://t.co/OJimROA8fj

    @CVEnew

    3 Dec 2025

    197 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2.CVE-2026-25725
  2. Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the symlink without triggering deny rule enforcement. This issue has been patched in version 2.1.7.CVE-2026-25724
  3. Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to bypass write protection and create or modify files without user confirmation. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.57.CVE-2026-25722
  4. Claude Code is an agentic coding tool. Prior to version 2.0.55, Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories like the .claude folder and paths outside the project scope. Exploiting this required the ability to execute commands through Claude Code with the "accept edits" feature enabled. This issue has been patched in version 2.0.55.CVE-2026-25723
  5. Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the user to use ZSH and the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.74.CVE-2026-24053

References

Sources include official advisories and independent security research.