CVE-2025-55284: 
JavaScript vulnerability analysis and mitigation

Claude Code, an agentic coding tool, was found to contain a security vulnerability (CVE-2025-55284) prior to version 1.0.4. The vulnerability was discovered and disclosed on August 15, 2025. The issue affects versions of Claude Code below v1.0.4, with v1.0.4 being the patched version (GitHub Advisory).

The vulnerability stems from an overly broad allowlist of safe commands that could enable bypassing Claude Code confirmation prompts. This bypass allows unauthorized file reading and network exfiltration without user confirmation. The vulnerability has been assigned a CVSS v4.0 base score of 7.1 (High), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The weakness is categorized as CWE-78: Improper Neutralization of Special Elements used in an OS Command (GitHub Advisory).

When exploited, the vulnerability allows attackers to read files and exfiltrate their contents over the network without triggering the usual user confirmation prompts. This represents a significant confidentiality breach in the affected systems (GitHub Advisory).

The vulnerability has been patched in version 1.0.4. Users on standard Claude Code auto-update received this fix automatically after release. Current users of Claude Code are unaffected as versions prior to 1.0.24 are deprecated and have been forced to update (GitHub Advisory).