CVE-2025-55284: 
JavaScript vulnerability analysis and mitigation

Claude Code, an agentic coding tool, was found to contain a vulnerability (CVE-2025-55284) that allows bypassing confirmation prompts to read files and send their contents over the network without user confirmation. The vulnerability affects versions prior to 1.0.4 and was discovered in August 2025. The issue stems from an overly broad allowlist of safe commands (GitHub Advisory).

The vulnerability has been assigned a CVSS v4.0 base score of 7.1 (High severity) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command). Exploitation requires network access and passive user interaction, with potential for high confidentiality impact on the vulnerable system (GitHub Advisory).

If successfully exploited, the vulnerability allows attackers to bypass security controls and read files from the system, followed by exfiltrating the contents over the network without user confirmation. This represents a significant confidentiality breach for affected systems (GitHub Advisory).

The vulnerability has been patched in version 1.0.4. Users on standard Claude Code auto-update received this fix automatically after release. All versions prior to 1.0.24 have been deprecated and users have been forced to update, meaning current users are unaffected by this vulnerability (GitHub Advisory).