CVE-2025-58764: 
JavaScript vulnerability analysis and mitigation

Claude Code, an agentic coding tool, was found to contain a critical security vulnerability (CVE-2025-58764) discovered on September 10, 2025. The vulnerability affects versions prior to 1.0.105 and involves a bypass of the Claude Code confirmation prompt that could allow execution of untrusted commands. The issue was reported by the NVIDIA AI Red Team (GitHub Advisory).

The vulnerability stems from an error in command parsing that enables attackers to bypass the Claude Code confirmation prompt and execute untrusted commands. The issue has been assigned a CVSS v4.0 base score of 8.7 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) (GitHub Advisory, NVD).

Successful exploitation of this vulnerability could lead to arbitrary code execution with high impact on confidentiality, integrity, and availability of the affected system. The attack vector is network-accessible with low attack complexity, requiring only passive user interaction (GitHub Advisory).

Users are advised to update to version 1.0.105 or later which contains the fix for this vulnerability. Those using standard Claude Code auto-update will have received this fix automatically. Users performing manual updates should update to the latest version immediately (GitHub Advisory).