关键漏洞信息 漏洞标题 Path Restriction Bypass in Claude Code Research Preview could allow unauthorized file access when path prefixes collide 严重性 Severity: High (7.7/10) 影响版本与修复版本 Affected versions: < v0.2.111 Patched versions: v0.2.111 描述 Description: - 由于路径验证缺陷,使用前缀匹配而不是规范路径比较,可以绕过目录限制并访问当前工作目录(CWD)外部的文件。成功利用此漏洞取决于存在(或能够创建)一个具有与CWD相同前缀的目录,并且能够将不受信任的内容添加到Claude Code上下文窗口中。 - 标准Claude Code自动更新用户在发布后会自动收到此修复。当前Claude Code用户不受影响,因为1.0.24之前的版本已弃用并被迫更新。 CVSS v4 基础指标 Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Attack Requirements: Present - Privileges Required: None - User interaction: Passive Vulnerable System Impact Metrics: - Confidentiality: High - Integrity: High - Availability: High Subsequent System Impact Metrics: - Confidentiality: None - Integrity: None - Availability: None CVE ID CVE-2025-54794 弱点 Weaknesses: CWE-22