CVE-2025-54795

CRITICAL

Claude Code < 1.0.20 - OS Command Injection via Confirmation Prompt Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-54795. PoCs published by dial481, alonisser.

AI-analyzed exploit summary This repository provides a functional reimplementation of the Ralph Wiggum autonomous loop technique for Claude Code, bypassing security restrictions introduced in CVE-2025-54795 by avoiding direct bash execution in command files and instead using a separate stop hook script.

Description

Claude Code is an agentic coding tool. In versions below 1.0.20, an error in command parsing makes it possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This is fixed in version 1.0.20.

Exploits (2)

nomisec WORKING POC
by dial481 · poc
https://github.com/dial481/ralph

This repository provides a functional reimplementation of the Ralph Wiggum autonomous loop technique for Claude Code, bypassing security restrictions introduced in CVE-2025-54795 by avoiding direct bash execution in command files and instead using a separate stop hook script.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Claude Code v1.0.20+
No auth needed
Prerequisites: Claude Code installation · jq for JSON parsing
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by alonisser · poc
https://github.com/alonisser/ralph

This repository provides a functional reimplementation of the Ralph Wiggum autonomous loop technique for Claude Code, bypassing security restrictions introduced in CVE-2025-54795 by avoiding direct bash execution in command files and instead using a separate stop hook script.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Claude Code v1.0.20+
No auth needed
Prerequisites: Claude Code 1.0.20+ · jq for JSON parsing
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.0054
EPSS Percentile 68.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (2)
anthropic/claude_code < 1.0.20
anthropic-ai/claude-code 0 - 1.0.20npm
Published Aug 05, 2025
Tracked Since Feb 18, 2026