Cymulate — InversePrompt Bypasses Claude Code Path Restrictions & Command Injection (CVE-2025-54794, CVE-2025-54795)
What happened
- Cymulate researcher discovered two high-severity vulnerabilities in Anthropic's Claude Code during its Research Preview phase, both triggered through crafted prompt techniques dubbed "InversePrompt."
- CVE-2025-54794: Path restriction bypass — Claude Code's Current Working Directory (CWD) guard can be evaded via carefully worded prompts that trick the model into reading or writing files outside the allowed directory, bypassing the consent gate.
- CVE-2025-54795: Command injection — the whitelisted command enforcement can be subverted, allowing execution of non-allowed shell commands (e.g.,
curl,rm) without triggering user confirmation prompts. - The technique is novel: rather than attacking the model directly, the attacker "turns the tool inward" by exploring how Claude Code interprets and validates its own inputs, causing the enforcement system to undermine itself.
- Claude Code runs with the current user's privileges and connects to the local filesystem and shell, making these bypasses particularly dangerous in practice — an agent with filesystem access that ignores its own sandbox rules can leak secrets, modify configs, or escalate locally.
- Anthropic addressed the vulnerabilities quickly after disclosure, but the findings highlight a broader pattern: LLM-powered developer tools that enforce rules via the same model that processes user prompts are inherently circular in their security model.
- The researcher used deobfuscated Claude Code source code (published by independent analysts) to reverse-engineer the internal validation flow, demonstrating that even closed-source agent tools are tractable to motivated researchers.
Why it matters
AI coding agents like Claude Code are deployed across thousands of developer environments with access to production repositories, cloud credentials, and internal tooling. If the agent's own enforcement logic can be coerced into bypassing its guards, the CWD restriction and command whitelist provide no real isolation — the agent's sandbox is only as strong as its prompt validation. Organizations deploying AI coding assistants need to assume the enforcement layer itself is bypassable.
What to do
- Update Claude Code to the latest version — Anthropic patched both CVEs after disclosure.
- Run AI coding agents in isolated environments (containers, VMs) rather than on developer workstations with broad access.
- Apply allowlisting at the OS level (e.g., AppArmor, seccomp, sandboxd) rather than relying solely on LLM-enforced boundaries.
- Monitor Claude Code activity logs for unexpected file access or command execution outside the project directory.