Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 47 npm packages depend on @anthropic-ai/sdk (46 direct, 1 indirect)
Ecosystem-wide dependent count for version 0.79.0.
DescriptionGitHub Advisory
Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.81.0, the local filesystem memory tool in the Anthropic TypeScript SDK validated model-supplied paths using a string prefix check that did not append a trailing path separator. A model steered by prompt injection could supply a crafted path that resolved to a sibling directory sharing the memory root's name as a prefix, allowing reads and writes outside the sandboxed memory directory. This issue has been patched in version 0.81.0.
AnalysisAI
Path traversal vulnerability in Anthropic Claude SDK for TypeScript (versions 0.79.0-0.80.x) allows remote attackers to read and write files outside the intended sandboxed memory directory via prompt injection. The vulnerability exploits incomplete path validation in the local filesystem memory tool, where a model supplied with crafted input can reference sibling directories sharing the memory root's name prefix. Patch available in version 0.81.0; no public exploit code or active exploitation confirmed, but the attack surface is exposed to any application using the affected SDK versions with model-supplied file paths.
Technical ContextAI
The Anthropic Claude SDK for TypeScript implements a local filesystem memory tool that manages file I/O operations intended to be sandboxed within a specific directory. The vulnerability resides in CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, 'Path Traversal'), occurring in the path validation logic that uses a simple string prefix check without appending a trailing path separator. For example, if the memory root is /app/memory, an attacker can supply /app/memory-sibling as a crafted path; because the prefix check only validates that the path starts with /app/memory (without the separator), it incorrectly permits traversal to /app/memory-sibling and its contents. This allows arbitrary file read/write operations on the host filesystem when a language model is prompted to use the memory tool with malicious input, effectively breaking the sandbox boundary.
RemediationAI
Immediately upgrade the Anthropic Claude SDK for TypeScript to version 0.81.0 or later, which contains the patched path validation logic that correctly appends trailing path separators before prefix checks. For applications unable to update immediately, implement input sanitization and validation at the application layer to prevent prompt injection attacks that could exploit the memory tool feature; sanitize all user-controllable input passed to model prompts and restrict the model's access to the memory tool if possible through SDK configuration. Consult the security advisory at https://github.com/anthropics/anthropic-sdk-typescript/security/advisories/GHSA-5474-4w2j-mq4c for additional context and confirmation of the patch.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17679
GHSA-5474-4w2j-mq4c