Claude Code & The Echo Chamber: CVE-2026-25723
Vulnerability ID: CVE-2026-25723
CVSS Score: 7.7
Published: 2026-02-06
In the race to build autonomous coding agents, Anthropic's 'Claude Code' (claude-code) stumbled over a classic Unix pitfall. CVE-2026-25723 is a high-severity file write restriction bypass that allows the AI agent—or an attacker influencing it—to overwrite sensitive files outside the project scope. By leveraging piped sed commands, the tool's input validation logic was circumvented, potentially turning a helpful coding assistant into a machine for overwriting SSH keys or configuration files.
TL;DR
Claude Code versions < 2.0.55 failed to properly sanitize piped shell commands, specifically echo | sed. This allowed file write restrictions to be bypassed, enabling arbitrary file overwrites (e.g., ~/.ssh/authorized_keys) via prompt injection or malicious repository content.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-78 (OS Command Injection)
- CWE ID: CWE-20 (Improper Input Validation)
- CVSS v4.0: 7.7 (High)
- Attack Vector: Network (via Prompt Injection)
- Exploit Status: PoC Available
- Patch Status: Fixed in 2.0.55
Affected Systems
- claude-code < 2.0.55 (npm package)
- Developer workstations running vulnerable versions
-
claude-code: < 2.0.55 (Fixed in:
2.0.55)
Exploit Details
-
Hypothetical: Exploitation involves prompt injection to coerce the agent into running
echo | sedcommands.
Mitigation Strategies
- Strict Input Validation
- Avoid Shell Execution for File I/O
- Principle of Least Privilege
Remediation Steps:
- Upgrade @anthropic-ai/claude-code to version 2.0.55 or later immediately.
- Audit any repositories processed by the agent prior to the patch for malicious configuration changes.
- Review ~/.ssh/authorized_keys and shell profiles (~/.bashrc, ~/.zshrc) for unexpected entries.
References
Read the full report for CVE-2026-25723 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)