关键漏洞信息 漏洞标题 Permission deny bypass through symlink 影响的包和版本 Package: @anthropic-ai/claude-code (npm) Affected versions: < v1.0.120 Patched versions: v1.0.120 描述 Description: - Claude Code 在检查权限拒绝规则时未能考虑到符号链接。如果用户明确拒绝了 Claude Code 访问某个文件的权限,但 Claude Code 可以访问指向该文件的符号链接,则仍可能访问到该文件。 - 使用标准自动更新的用户会自动收到此修复。手动更新的用户建议更新到最新版本。 严重性 Severity: Low (2.3 / 10) CVSS v4 基本指标 Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Attack Requirements: Present - Privileges Required: None - User Interaction: Passive Vulnerable System Impact Metrics: - Confidentiality: Low - Integrity: Low - Availability: None Subsequent System Impact Metrics: - Confidentiality: None - Integrity: None - Availability: None CVE ID CVE-2025-59829 弱点 Weaknesses: CWE-61