CVE-2026-34451: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in anthropics anthropic-sdk-typescript
Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.81.0, the local filesystem memory tool in the Anthropic TypeScript SDK validated model-supplied paths using a string prefix check that did not append a trailing path separator. A model steered by prompt injection could supply a crafted path that resolved to a sibling directory sharing the memory root's name as a prefix, allowing reads and writes outside the sandboxed memory directory. This issue has been patched in version 0.81.0.
AI Analysis
Technical Summary
The Claude SDK for TypeScript versions 0.79.0 to before 0.81.0 contain a path traversal vulnerability in the local filesystem memory tool. The vulnerability arises because the SDK validates model-supplied paths by checking if the path string starts with a prefix matching the memory root directory, but it does not append a trailing path separator. This flaw allows a maliciously crafted path, potentially influenced by prompt injection, to resolve to a sibling directory with a name sharing the memory root's prefix, thereby escaping the sandbox restrictions. This enables unauthorized filesystem reads and writes outside the intended restricted directory. The vulnerability is tracked as CVE-2026-34451 and has a CVSS 4.0 base score of 6.3 (medium severity). The issue was patched in version 0.81.0 of the SDK.
Potential Impact
Exploitation of this vulnerability allows an attacker to read from and write to filesystem locations outside the sandboxed memory directory intended by the SDK. This could lead to unauthorized access or modification of files on the host system where the SDK is running. The impact is limited by the requirement of a model-driven prompt injection to supply the crafted path. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade the anthropic-sdk-typescript package to version 0.81.0 or later, where this path traversal vulnerability has been patched. No other mitigations are specified or required once the update is applied.
CVE-2026-34451: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in anthropics anthropic-sdk-typescript
Description
Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.81.0, the local filesystem memory tool in the Anthropic TypeScript SDK validated model-supplied paths using a string prefix check that did not append a trailing path separator. A model steered by prompt injection could supply a crafted path that resolved to a sibling directory sharing the memory root's name as a prefix, allowing reads and writes outside the sandboxed memory directory. This issue has been patched in version 0.81.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Claude SDK for TypeScript versions 0.79.0 to before 0.81.0 contain a path traversal vulnerability in the local filesystem memory tool. The vulnerability arises because the SDK validates model-supplied paths by checking if the path string starts with a prefix matching the memory root directory, but it does not append a trailing path separator. This flaw allows a maliciously crafted path, potentially influenced by prompt injection, to resolve to a sibling directory with a name sharing the memory root's prefix, thereby escaping the sandbox restrictions. This enables unauthorized filesystem reads and writes outside the intended restricted directory. The vulnerability is tracked as CVE-2026-34451 and has a CVSS 4.0 base score of 6.3 (medium severity). The issue was patched in version 0.81.0 of the SDK.
Potential Impact
Exploitation of this vulnerability allows an attacker to read from and write to filesystem locations outside the sandboxed memory directory intended by the SDK. This could lead to unauthorized access or modification of files on the host system where the SDK is running. The impact is limited by the requirement of a model-driven prompt injection to supply the crafted path. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade the anthropic-sdk-typescript package to version 0.81.0 or later, where this path traversal vulnerability has been patched. No other mitigations are specified or required once the update is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-27T18:18:14.895Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69cc424fe6bfc5ba1d44f4b4
Added to database: 3/31/2026, 9:53:19 PM
Last enriched: 4/8/2026, 12:07:06 AM
Last updated: 5/14/2026, 10:01:48 PM
Views: 88
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.