Claude Code Vulnerability CVE-2025-64755 | Sed Command Validation Bypass Enables Arbitrary File Writes¶
Target Audience
- Developers who regularly use Claude Code
Key Points¶
- Technical attack mechanism of CVE-2025-64755
- How to determine if your environment is affected
- Concrete remediation steps
Vulnerability Overview¶
Important
If you have auto-updated to v2.0.31 or later, you are not affected by this vulnerability.
On November 20, 2025, Anthropic disclosed a critical vulnerability CVE-2025-64755 in Claude Code. This vulnerability exploits a flaw in sed command parsing to bypass read-only mode restrictions and write to arbitrary files on the host system.
Basic Information¶
| Item | Details |
|---|---|
| CVE ID | CVE-2025-64755 |
| Severity | Critical (CVSS 3.1: 9.8) / High (CVSS 4.0: 8.7) |
| Affected Versions | Before v2.0.31 |
| Fixed Version | v2.0.31 |
| CWE | CWE-78 (OS Command Injection) |
| Discovered By | Adam Chester (SpecterOps) |
Technical Details¶
Vulnerability Mechanism¶
Claude Code includes a read-only mode as a security feature to prevent file writes outside user-specified directories. However, a flaw in the sed command validation logic allowed certain command patterns to bypass this restriction.
The sed command supports subcommands like w (write) and r (read) for file operations. In vulnerable versions, inputs containing these subcommands were not properly validated, enabling writes to arbitrary paths.
Attack Scenario¶
Attackers can construct the following attack chain through prompt injection:
- Prepare malicious repository: Embed crafted prompts in README or code files
- Claude Code processes content: The prompt executes when a developer analyzes the repository
- Exploit sed command: Bypass validation to write to shell startup files like
.zshenv - Achieve RCE: Malicious code executes on next shell startup
Severity of Attack
This attack is fully automatable and could bypass read-only mode without explicit user permission.
Impact Scope and Exploitation Status¶
Affected Environments¶
- npm Claude Code:
@anthropic-ai/claude-codeversions before v2.0.31 - All platforms: Windows, macOS, Linux
Current Exploitation Status¶
As of January 2026, PoC (proof-of-concept) code has been published, and there are reports of active exploitation. Security researchers have confirmed attacks targeting cryptocurrency users.
Remediation Steps¶
Check Your Version¶
Verify your current Claude Code version:
claude --version
If you're running v2.0.31 or later, you're protected.
Manual Update Required¶
If you've disabled auto-updates, run:
npm update -g @anthropic-ai/claude-code
Auto-Update Users
If you use Claude Code with default settings, the fix has already been applied via auto-update.
Additional Defensive Measures¶
If you used a vulnerable version, consider these checks:
- Review shell startup files (
.bashrc,.zshenv, etc.) for suspicious modifications - Check recent command history for unfamiliar sed commands
- Exercise caution if you've analyzed untrusted repositories
Lessons Learned¶
Security Risks of AI Tools¶
This vulnerability highlights unique risks inherent to AI coding tools:
- Prompt Injection: AI inputs can become attack vectors
- False Sense of Security: Read-only mode doesn't guarantee complete protection
- Supply Chain Attacks: Indirect attacks via malicious repositories
Recommendations for Developers¶
- Always keep AI tools updated to the latest version
- Exercise extra caution when analyzing code from untrusted sources
- Consider running in sandboxed environments
References¶
Summary¶
CVE-2025-64755 is a critical vulnerability in Claude Code's sed command validation. It has been fixed in v2.0.31, and auto-update users are already protected. Manual update users should upgrade immediately.
As AI coding tools become more prevalent, vulnerabilities like this will likely continue to be discovered. Maintaining the latest version and monitoring security advisories is essential.