Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 3 npm packages depend on @anthropic-ai/claude-code (3 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.0.120.
DescriptionGitHub Advisory
Claude Code is an agentic coding tool. Versions below 1.0.120 failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude Code had access to a symlink pointing to that file, it was possible for Claude Code to access the file. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. This issue is fixed in version 1.0.120.
AnalysisAI
A security vulnerability in Claude Code (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
Technical ContextAI
Vulnerability type not specified by vendor. Affects Claude Code.
RemediationAI
Monitor vendor channels for patch availability.
More in Claude Code
View allOS command injection in Anthropic Claude Code CLI and Agent SDK for Python allows remote, unauthenticated attackers to e
OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python allows local attackers to execute arbi
OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python enables arbitrary command execution vi
Claude Code prior to version 2.1.2 has a CVSS 10.0 sandbox escape in the bubblewrap sandboxing mechanism, allowing code
Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and shor
Claude Code prior to version 2.0.57 failed to properly validate MCP tool inputs, allowing malicious MCP servers to injec
Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the sta
Claude Code versions before 2.0.72 allow authenticated attackers to execute arbitrary commands by exploiting a command p
Sandbox escape and code execution in Anthropic's Claude Code CLI (versions 2.1.38 through 2.1.162) lets a malicious repo
Sandbox escape in Claude Code versions prior to 2.1.64 enables arbitrary file writes outside the workspace by exploiting
Claude Code is an agentic coding tool. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no au
Claude Code versions prior to 2.0.65 allow attackers to steal Anthropic API keys from users by crafting malicious reposi
Same weakness CWE-61 – UNIX Symbolic Link (Symlink) Following
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-32506
GHSA-66m2-gx93-v996