Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path traversal vulnerability that allows attackers to read arbitrary files by supplying an unvalidated transcript_path value via stdin JSON. Attackers can access any file readable by the process and the file metadata is written to a persistent cache file with insufficient permissions, creating a forensic record of accessed paths that survives process exit.
AnalysisAI
Path traversal in Claude HUD through version 0.0.12 permits local low-privileged attackers to read arbitrary files by supplying a crafted transcript_path value via stdin JSON, bypassing all path validation. Beyond direct file read access, the application writes file metadata - including the accessed paths - to a persistent cache file with insufficiently restrictive permissions, leaving a forensic record readable by other local users that survives process termination. No public exploit code has been identified at time of analysis; CVSS 4.0 scores this 4.8 (Medium) reflecting local-only reach, and a vendor patch is available at commit 234d9aa.
Technical ContextAI
Claude HUD (CPE: cpe:2.3:a:jarrodwatts:claude-hud:*:*:*:*:*:*:*:*) is a Node.js terminal overlay tool for Claude Code sessions that accepts structured JSON over stdin, including a transcript_path field pointing to a Claude conversation transcript. Prior to commit 234d9aa, this path was passed directly to file-reading functions in src/transcript.ts without canonicalization or directory-boundary enforcement - a textbook CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) root cause. The PR diff confirms the fix introduces canonicalizeTranscriptPath() using fs.realpathSync() to resolve symlinks and normalize traversal sequences, and resolvePathWithinCwd() which checks that the resolved absolute path does not escape the working directory via path.relative() prefix inspection. A secondary weakness was that writeTranscriptCache() called fs.writeFileSync() without an explicit mode, leaving cache file permissions subject to the process umask and potentially world-readable; the fix enforces { mode: 0o600 }. The same PR also adds sanitization of control and Unicode BiDi characters in display output and tightens hyperlink URI allowlists to https: and file: protocols.
RemediationAI
Apply the upstream patch from commit 234d9aad919b51326a43bcf90b45ae35c23afc30 (https://github.com/jarrodwatts/claude-hud/commit/234d9aad919b51326a43bcf90b45ae35c23afc30), which resolves the path traversal by introducing fs.realpathSync() canonicalization and cwd-boundary enforcement before processing any transcript_path value, and hardens cache file creation to use mode: 0o600. Users should build from the patched commit directly, as a tagged stable release incorporating this fix has not been independently confirmed; monitor https://github.com/jarrodwatts/claude-hud/releases for a versioned release. As an immediate compensating control where patching is not feasible, restrict which users can invoke Claude HUD or write to its stdin - since exploitation requires local access and stdin control, tightening process invocation permissions meaningfully reduces the attack surface, at the trade-off of limiting who can use the tool. Additionally, audit and restrict permissions on existing Claude HUD cache directories to prevent secondary path-metadata disclosure from pre-patch cache files already on disk. Full patch details are in PR https://github.com/jarrodwatts/claude-hud/pull/487.
More in Claude Hud
View allLocal privilege code execution in jarrodwatts/claude-hud through version 0.0.12 on Windows allows authenticated local us
Terminal injection in Claude HUD through version 0.0.12 allows an attacker who controls a Git branch name or working dir
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30800
GHSA-4524-x6pc-rr9x