CVE-2025-55284 is a high-severity OS command injection vulnerability (CWE-78) found in the anthropics Claude Code agentic coding tool, specifically in versions prior to 1.0.4. Claude Code is designed to assist with coding tasks by executing commands, but before version 1.0.4, it contained an overly broad allowlist of safe commands that could be bypassed. This flaw allows an attacker who can inject untrusted content into a Claude Code context window to circumvent the tool's confirmation prompts. By doing so, the attacker can read arbitrary files on the host system and exfiltrate their contents over the network without user approval. The vulnerability does not require any privileges or authentication (AV:N/PR:N), and no user interaction beyond the injection of malicious content is needed (UI:P). The CVSS 4.0 score is 7.1, reflecting a high impact primarily on confidentiality due to unauthorized data disclosure. The vulnerability affects only versions earlier than 1.0.4, and users on standard auto-update paths have been automatically patched. Versions prior to 1.0.24 are deprecated and forced to update, meaning current users should not be vulnerable. There are no known exploits in the wild at this time. The vulnerability arises from improper neutralization of special elements in OS commands, allowing command injection and unauthorized command execution within the Claude Code environment.

For European organizations using Claude Code versions prior to 1.0.4, this vulnerability poses a significant risk of data confidentiality breaches. An attacker able to inject malicious content into the Claude Code context could read sensitive files and transmit their contents externally without user consent. This could lead to leakage of intellectual property, customer data, or internal configuration files. Since the vulnerability requires no privileges or authentication, any exposed interface or collaborative environment where untrusted input can reach Claude Code is a potential attack vector. The impact on integrity and availability is minimal, as the vulnerability primarily enables data exfiltration rather than system disruption or modification. However, the breach of confidentiality alone can have severe regulatory and reputational consequences under European data protection laws such as GDPR. The automatic update mechanism mitigates risk for most users, but organizations with strict change control or offline environments may remain exposed if they have not updated. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers could develop exploits given the public disclosure.

European organizations should ensure that all instances of Claude Code are updated to version 1.0.4 or later immediately. For environments where automatic updates are disabled or controlled, manual patching must be prioritized. Additionally, organizations should audit and restrict the ability to inject untrusted content into Claude Code context windows, for example by limiting access to trusted users and validating or sanitizing inputs that reach the tool. Network monitoring should be enhanced to detect unusual outbound data flows that could indicate exfiltration attempts. Implementing strict access controls and segmentation around systems running Claude Code can reduce exposure. Organizations should also review their incident response plans to include scenarios involving agentic coding tools and command injection attacks. Finally, educating developers and users about the risks of injecting untrusted content into automated coding assistants can help prevent exploitation.