CVE-2026-25722 is a vulnerability classified under CWE-20 (Improper Input Validation) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command) affecting anthropics Claude Code, an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when users issued the cd command combined with write operations targeting protected folders such as the .claude directory. This improper validation allowed attackers who could inject untrusted content into the Claude Code context window to navigate into sensitive directories and bypass write protections. Consequently, attackers could create or modify files without triggering user confirmation or security controls designed to prevent unauthorized changes. The vulnerability is exploitable remotely over the network with low attack complexity, requiring partial user interaction but no privileges or authentication. The impact includes potential unauthorized modification or creation of files in protected directories, threatening confidentiality, integrity, and availability of critical data or configurations. The issue was addressed and patched in Claude Code version 2.0.57. No known public exploits have been reported yet, but the vulnerability’s characteristics warrant prompt remediation.

For European organizations, this vulnerability could lead to unauthorized modification or creation of files within protected directories of Claude Code installations, potentially compromising sensitive project data, configuration files, or intellectual property. Attackers could leverage this to implant malicious code, disrupt development workflows, or exfiltrate confidential information. The agentic nature of Claude Code means automated or semi-automated code generation and execution could be manipulated, increasing risk of supply chain or internal sabotage attacks. Organizations relying on Claude Code for software development or automation may face operational disruptions and data integrity issues. The network-exploitable nature and low complexity increase the likelihood of exploitation if untrusted input injection is possible, especially in collaborative or multi-user environments. This could also impact compliance with European data protection regulations if sensitive data is exposed or altered.

European organizations should immediately upgrade all anthropics Claude Code installations to version 2.0.57 or later to apply the official patch. Additionally, restrict or sanitize all untrusted input sources that can be injected into Claude Code context windows to prevent exploitation. Implement strict access controls and monitoring on directories like .claude to detect unauthorized changes. Employ application whitelisting and file integrity monitoring to alert on unexpected file modifications. Educate developers and users on the risks of injecting untrusted content and enforce secure coding and usage practices. Network segmentation and limiting exposure of Claude Code instances to untrusted networks can reduce attack surface. Finally, integrate vulnerability scanning and patch management processes to ensure timely updates of development tools.