Security Flaw in Claude Lets Attackers Abuse AI to Run Unauthorized Commands

A comprehensive security analysis of Anthropic’s Claude Code AI development assistant has revealed two critical vulnerabilities that could allow attackers to bypass security restrictions and execute unauthorized commands.

The vulnerabilities, designated CVE-2025-54794 and CVE-2025-54795, were discovered by cybersecurity researcher Elad Beber from Cymulate and have since been patched by Anthropic’s security team.

The research demonstrates how artificial intelligence systems can inadvertently assist in their exploitation through a technique called “inverse prompting,” where the AI model is used to reverse-engineer its security mechanisms.

Beber’s investigation began during Anthropic’s Research Preview phase and utilized Claude itself to deobfuscate and analyze the Claude Code application’s security architecture.

This novel approach highlights emerging risks in AI-powered development tools where the same system designed to enforce security boundaries can potentially be manipulated to reveal bypass methods.

Path Traversal Flaw Enables Sandbox Escape

The first vulnerability, CVE-2025-54794, affects the path restriction mechanism that should limit Claude Code’s file operations to a predefined current working directory (CWD).

The flaw stems from inadequate path validation using a naive prefix-based approach that can be exploited through directory name manipulation.

An attacker could create directories with similar prefixes to the legitimate CWD, such as creating “/Users/eladbeber/Documents/claude_code_evil” when the legitimate directory is “/Users/eladbeber/Documents/claude_code”.

This vulnerability, which received a CVSS score of 7.7, allows unauthorized file access outside the intended sandbox boundaries.

The flaw mirrors a similar issue previously discovered in Anthropic’s Filesystem MCP Server, suggesting potential architectural patterns being repeated across different products.

When combined with symbolic links, this vulnerability could enable complete file system access in environments where Claude Code operates with elevated privileges.

Command Injection Bypasses Security Controls

The second vulnerability, CVE-2025-54795, represents a more severe command injection flaw with a CVSS score of 8.7.

Despite Claude Code’s implementation of a whitelist-based command execution system, Beber discovered that improper input sanitization allows attackers to inject arbitrary shell commands disguised within permitted operations.

The exploit leverages the echo command, which is whitelisted for execution without user confirmation, as a vector for command injection using payload structures like echo ""; <COMMAND>; echo "".

This technique effectively smuggles unauthorized commands within legitimate requests, bypassing the system’s approval prompts entirely.

The vulnerability demonstrates how string manipulation can be used to break out of intended command contexts, potentially leading to local privilege escalation in environments where Claude Code operates with elevated permissions.

Anthropic responded promptly to the disclosure, releasing patches in Claude Code versions v0.2.111 and v1.0.20 to address both vulnerabilities.

This research underscores the importance of rigorous security testing in AI development tools and highlights how artificial intelligence systems can be weaponized against themselves through creative prompt engineering techniques.

The findings emphasize the need for robust input validation and proper sandboxing mechanisms in AI-powered development environments.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post Security Flaw in Claude Lets Attackers Abuse AI to Run Unauthorized Commands appeared first on Cyber Security News.