@anthropic-ai/claude-code
npm25 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting @anthropic-ai/claude-codepage 1 of 1
- CVE-2025-52882HIGHCVSS 8.8EG 8.8✓ Fixed in 1.0.242025-06-24
Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections …
- CVE-2025-54794CRITICALCVSS 9.1EG 9.1✓ Fixed in 0.2.1112025-08-05
Claude Code is an agentic coding tool. In versions below 0.2.111, a path validation flaw using prefix matching instead of canonical path comparison, makes it possible to bypass directory restrictions and access files outside the CWD. Succe…
- CVE-2025-54795CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.0.202025-08-05
Claude Code is an agentic coding tool. In versions below 1.0.20, an error in command parsing makes it possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires th…
- CVE-2025-55284HIGHCVSS 7.5EG 7.5✓ Fixed in 1.0.42025-08-16
Claude Code is an agentic coding tool. Prior to version 1.0.4, it's possible to bypass the Claude Code confirmation prompts to read a file and then send file contents over the network without user confirmation due to an overly broad allowl…
- CVE-2025-58764CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.0.1052025-09-10
Claude Code is an agentic coding tool. Due to an error in command parsing, versions prior to 1.0.105 were vulnerable to a bypass of the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this …
- CVE-2025-59041CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.0.1052025-09-10
Claude Code is an agentic coding tool. At startup, Claude Code executed a command templated in with `git config user.email`. Prior to version 1.0.105, a maliciously configured user email in git could be used to trigger arbitrary code execu…
- CVE-2025-59536HIGHCVSS 8.8EG 8.8✓ Fixed in 1.0.1112025-10-03
Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the startup trust dialog implementation. Claude Code could be tricked to execute code contained in a project before the user a…
- CVE-2025-59828CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.0.392025-09-24
Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when running yarn --version. This could lead to a bypass of the directory trust dial…
- CVE-2025-59829MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.0.1202025-10-03
Claude Code is an agentic coding tool. Versions below 1.0.120 failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude Code had access to a symlink pointing to …
- CVE-2025-64755CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.0.312025-11-21
Claude Code is an agentic coding tool. Prior to version 2.0.31, due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system. This issue has been pat…
- CVE-2025-65099CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.0.392025-11-19
Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the star…
- CVE-2025-66032CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.0.932025-12-03
Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Relia…
- CVE-2026-21852HIGHCVSS 7.5EG 7.5✓ Fixed in 2.0.652026-01-21
Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-contr…
- CVE-2026-24052HIGHCVSS 7.4EG 7.4✓ Fixed in 1.0.1112026-02-03
Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate…
- CVE-2026-24053MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.0.742026-02-03
Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory wit…
- CVE-2026-24887HIGHCVSS 8.8EG 8.8✓ Fixed in 2.0.722026-02-03
Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably…
- CVE-2026-25722CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.0.572026-02-06
Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive director…
- CVE-2026-25723MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.0.552026-02-06
Claude Code is an agentic coding tool. Prior to version 2.0.55, Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability ena…
- CVE-2026-25724HIGHCVSS 7.5EG 7.5✓ Fixed in 2.1.72026-02-06
Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a f…
- CVE-2026-25725CRITICALCVSS 10.0EG 10.0✓ Fixed in 2.1.22026-02-06
Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directo…
- CVE-2026-35603HIGHCVSS 7.3EG 7.3✓ Fixed in 2.1.752026-04-17
Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access p…
- CVE-2026-39861CRITICALCVSS 10.0EG 10.0✓ Fixed in 2.1.642026-04-21
Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path wit…
- CVE-2026-40068HIGHCVSS 8.8EG 8.8✓ Fixed in 2.1.842026-05-05
In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a…
- CVE-2026-46406MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.1.1282026-06-25
Claude Code is an agentic coding tool. From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path (/tmp/claude/response.md) without UID isolation, randomness, or symlink protection. The file …
- CVE-2026-54316CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.1.1632026-06-17
Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—…
Check whether @anthropic-ai/claude-code is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for @anthropic-ai/claude-code CVEs against the assets you own.
Start Free Scan →