echo "/"; rm -rf /; echo — and Claude Code replies “Great idea, executing now”
The AI turned out to be chattier than a drunk programmer — and spilled all its secrets to hackers.
The AI turned out to be chattier than a drunk programmer — and spilled all its secrets to hackers.
During the pre-release testing phase of Claude Code, researchers at Cymulate identified two critically dangerous vulnerabilities that could turn the developer assistant into a tool for unauthorized system access. These flaws allowed attackers to bypass file system restrictions and inject arbitrary commands — with the AI assistant itself inadvertently helping to expose its own weaknesses.
The vulnerabilities, registered as CVE-2025-54794 and CVE-2025-54795, were given high CVSS scores — 7.7 and 8.7 respectively. The first affected the mechanism restricting access to the file system, while the second targeted the command execution subsystem built into Claude Code. Both issues have since been patched in versions v0.2.111 and v1.0.20, but prior to the updates, an attacker could use the assistant itself to analyze its behavior and craft requests that resulted in system takeover.
Claude Code was designed to simplify development workflows: it can write and analyze code based on natural language instructions, and execute it in a sandboxed environment. To protect users, the system implements a command allowlist and restricts access to files outside the current working directory. However, as researcher Elad Biber from Cymulate demonstrated, these safeguards were flawed due to overly simplistic validation logic.
The path validation vulnerability (CVE-2025-54794) stemmed from the way Claude determined whether file operations were allowed — by simply comparing path prefixes. If the working directory was, for example, /Users/developer/project, the assistant would also allow access to /Users/developer/project_malicious, treating them as identical due to the shared prefix. This naive check allowed attackers to escape the safe zone, especially when using symbolic links.
The second vulnerability, CVE-2025-54795, involved the command execution mechanism. Claude only allowed a limited set of commands from the allowlist, but failed to properly sanitize the arguments passed to them. This meant that a cleverly structured string like echo “/”; malicious_command; echo /”” would pass validation and be fully executed — since echo was considered a safe command.
What makes these vulnerabilities particularly dangerous is how they were discovered. Biber exploited the capabilities of Claude itself — the assistant, unaware of the implications, readily explained its internal mechanisms and how they could be bypassed. This form of attack, dubbed InversePrompt, enables an attacker to use the model as a reverse engineering tool to uncover its own weaknesses.
Anthropic responded quickly to the incident, releasing patches to address both flaws. However, the fact that an intelligent assistant can inadvertently disclose details of its own architecture raises serious concerns about the design of such systems. In a world where AI tools are increasingly bridging the gap between users and the system level, their input filtering, isolation, and validation requirements must be as stringent as those in traditional operating systems.
