关键漏洞信息 漏洞名称 Command Injection via Piped sed Command Bypasses File Write Restrictions 漏洞类型 Command Injection CVSS Severity High (7.7/10) Affected Versions < v2.0.55 Patched Versions v2.0.55 Description Claude Code 未能正确验证使用 piped sed 操作与 echo 命令结合的命令,导致攻击者能够绕过文件写入限制。此漏洞允许在项目范围之外的敏感目录(如 .claude 文件夹)和路径中进行写入操作。利用此漏洞需要具备通过“接受编辑”功能使用 Claude Code 执行命令的能力。 标准的 Claude Code 自动更新用户会自动收到此修复。建议进行手动更新的用户更新到最新版本。 CVSS v4 Base Metrics Exploitability Metrics - Attack Vector: Network - Attack Complexity: Low - Attack Requirements: Present - Privileges Required: None - User Interaction: Passive Vulnerable System Impact Metrics - Confidentiality: High - Integrity: High - Availability: High Subsequent System Impact Metrics - Confidentiality: None - Integrity: None - Availability: None CVE ID CVE-2026-25723 Weaknesses CWE-20 CWE-78