CVE-2025-66032 is a command injection vulnerability classified under CWE-77 affecting anthropics' Claude Code, an agentic coding tool. The vulnerability exists in versions prior to 1.0.93 due to errors in parsing shell commands related to the Internal Field Separator ($IFS) and short command-line interface (CLI) flags. These parsing errors allow attackers to bypass the tool's read-only validation mechanisms, which are intended to prevent code execution. By injecting specially crafted input containing shell metacharacters or manipulating $IFS, an attacker can execute arbitrary shell commands within the context of the Claude Code process. Exploitation requires the attacker to be able to insert untrusted content into a Claude Code context window, which implies some level of user interaction or content injection capability. The vulnerability does not require authentication or elevated privileges, and no user privileges are needed, but user interaction is necessary to trigger the exploit. The CVSS 4.0 base score is 8.7, reflecting high severity due to network attack vector, low attack complexity, no privileges required, but requiring user interaction, and high impact on confidentiality, integrity, and availability. The vulnerability was publicly disclosed on December 3, 2025, and fixed in version 1.0.93. No known exploits have been reported in the wild yet. The flaw could allow attackers to execute arbitrary commands, potentially leading to full system compromise, data theft, or disruption of services.

For European organizations, this vulnerability poses a significant risk, especially for those using Claude Code in software development, automation, or CI/CD pipelines. Successful exploitation could lead to unauthorized code execution, compromising sensitive intellectual property, injecting malicious code into software builds, or disrupting development workflows. The impact extends to confidentiality breaches, integrity violations through unauthorized code changes, and availability issues if systems are disrupted or taken offline. Given the network attack vector and no authentication requirement, attackers could exploit this remotely if they can deliver malicious input to a user or system running vulnerable Claude Code versions. The requirement for user interaction means phishing or social engineering could be used to facilitate exploitation. The absence of known exploits in the wild suggests a window for proactive mitigation before widespread attacks occur. However, the high severity score indicates that once exploited, the consequences could be severe, including potential lateral movement within networks and compromise of critical infrastructure supporting software development.

1. Immediately upgrade all instances of anthropics Claude Code to version 1.0.93 or later, where the vulnerability is patched. 2. Restrict the ability to insert untrusted or user-generated content into Claude Code context windows, employing strict input validation and sanitization to prevent injection of shell metacharacters or manipulation of $IFS. 3. Implement application-level controls to monitor and log unusual command execution patterns within Claude Code environments. 4. Educate users and developers about the risks of interacting with untrusted content in Claude Code and the importance of cautious handling of CLI inputs. 5. Employ network segmentation and least privilege principles to limit the impact of potential exploitation. 6. Use endpoint detection and response (EDR) tools to detect anomalous process behavior indicative of command injection attempts. 7. Regularly audit and review software development tools and environments for timely application of security patches and updates. 8. Consider deploying runtime application self-protection (RASP) or similar technologies to detect and block command injection attempts dynamically.