漏洞关键信息 漏洞名称: Permission Deny Bypass Through Symbolic Links CVE ID: CVE-2026-25724 GHSA ID: GHSA-4q92-rfm6-2cqxl 发布者: ddwroken 发布时间: 18 hours ago 受影响版本: < v2.1.7 已修补版本: v2.1.7 漏洞描述: - Claude Code在通过符号链接访问文件时未能严格执行settings.json中配置的拒绝规则。如果用户明确拒绝Claude Code访问某个文件(如/etc/passwd),而Claude Code通过指向该文件的符号链接访问,它可以通过符号链接读取受限文件,而不会触发拒绝规则的执行。 - 标准Claude Code自动更新的用户会自动收到此修复。执行手动更新的用户建议更新到最新版本。 报告者: https://hackerone.com/ofirn 严重性: 2.3/10 (低) CVSS v4 base metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Attack Requirements: Present - Privileges Required: None - User Interaction: Passive - Vulnerable System Impact Metrics: - Confidentiality: Low - Integrity: Low - Availability: Low - Subsequent System Impact Metrics: - Confidentiality: None - Integrity: None - Availability: None 弱点类型: - CWE-61 - CWE-285