Trellix Source Code Breach, Raise Incident Response Protocol Concern
Trellix Source Code Breach exposes vulnerabilites
Continue ReadingDevsecops
Surge in Cyber Security Spending; Focus on Cloud Security & AI
Surge in Cyber Security Spending; Focus on Cloud Security & AI in 2026
Continue Reading
High-severity path traversal vulnerability was identified in Docker Compose
Docker Compose Path Traversal Vulnerability Enables Arbitrary File Write and System Compromise
Summary:
| OEM | Docker |
| Severity | High |
| CVSS Score | 8.9 |
| CVEs | CVE-2025-62725 |
| Date of Announcement | 2025-10-28 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
A high-severity path traversal vulnerability was identified in Docker Compose, a widely-used tool for defining and managing multi-container Docker applications.
This flaw occurs in the handling of remote OCI-based Compose artifacts, allowing an attacker to craft malicious artifact annotations that bypass directory restrictions. As a result, malicious files can be written outside the intended cache directory on the host system.
This vulnerability can be triggered even by seemingly harmless commands such as docker compose ps or docker compose config that resolve remote artifacts. Organizations should upgrade immediately to avoid possible system compromise.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Path Traversal in OCI Artifacts Allowing Arbitrary File Write | CVE-2025-62725 | Docker Compose CLI | High | 8.9 |
Technical Summary
Docker Compose added support for fetching Compose files as OCI artifacts from remote registries. These artifacts contain layers with annotations indicating file paths for writing.
The vulnerability exists because Docker Compose did not sanitize or validate these path annotations prior to writing files, allowing path traversal sequences to escape the cache directory.
Attackers can exploit this by publishing malicious OCI artifacts with crafted annotations, leading to arbitrary file writes anywhere the Compose process has permissions, potentially overwriting sensitive files such as SSH authorized_keys, escalating privileges and compromising the host. The flaw affects Docker Compose versions prior to v2.40.2.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-62725 | Docker Compose (Linux, Windows, macOS) | Path traversal via malicious remote OCI artifact annotations allowing arbitrary file write outside the Compose cache directory. | Arbitrary file write, potential system compromise, privilege escalation. |
Remediation
Apply security patches immediately to mitigate risks from privilege escalation and container escape.
- Update Docker-compose to v2.40.2 or the latest one.
Conclusion
Docker Compose vulnerability poses a serious risk of arbitrary file writes and system compromise through malicious OCI artifacts.
Due to the ease of exploitation when using remote Compose files, all users and organizations should upgrade to the patched Docker Compose version immediately, scrutinize remote artifact usage, and enhance their container security hygiene to mitigate this significant threat.
References
TARmageddon Exploitable Tar Extraction Flaw Exposes Systems to Privilege Escalation
Summary A critical vulnerability known as Tarmageddon (CVE-2025-62518) impacts multiple tar extraction utilities and libraries, including GNU tar, libarchive, Python’s tarfile module, and the Rust async-tar library.
| Severity | High |
| CVSS Score | 7.8 |
| CVEs | CVE-2025-62518 |
| POC Available | Yes, public PoC and patches available (edera-dev GitHub) |
| Actively Exploited | Not confirmed widespread exploitation public PoC raises opportunistic risks |
| Exploited in Wild | No confirmed mass exploitation at time of writing |
| Advisory Version | 1.0 |
Overview
Tarmageddon (CVE-2025-62518) vulnerability Improper path sanitization and symlink-target validation during extraction enable a crafted tar archive to write files outside the intended extraction directory, leading to arbitrary file overwrite, privilege escalation, or remote code execution when executed by privileged or automated services.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Tar path traversal / symlink bypass (async-tar RCE vector) | CVE-2025-62518 | GNU tar, libarchive, Python tarfile, Rust async-tar and downstream tools | High | Patches released by maintainers; reference fixes in Edera patch repository and vendor advisories |
Technical Summary
Root cause: insufficient canonicalization of file paths and incomplete sanitization of symlink targets within tar archive headers. Behavioral details: Path traversal via ../ sequences and chained symlinks allows crafted archives to escape the extraction root and overwrite system binaries, configuration files, or startup scripts.
A public proof-of-concept confirms this behavior in affected async-tar implementations. Fix: apply upstream and distribution patches that normalize paths and validate symlink targets (edera-dev patches).
Exploitability: public PoC exists for CVE-2025-62518, highest risk when automated extractions run with elevated privileges (CI/CD, build, backup). Manual extraction is lower risk. Impact: Malicious extraction can overwrite critical files, allow service takeover or remote code execution, and lead to full host compromise if run as root.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-62518 | Tar libraries and tools async-tar, GNU tar, libarchive, Python tarfile, and any tools that use them. | Crafted tar entries can bypass path checks and write outside the extraction folder (PoC available). | Can overwrite files, allow privilege escalation/RCE if run as root, and contaminate build/CI artifacts. |
Remediation:
- Apply patches immediately — update tar libraries and utilities with vendor or distribution fixes (Edera patches where applicable).
- Disable automatic extraction of untrusted archives in gateways, ingestion services and CI/CD systems.
- Use least privilege for extraction processes — avoid root / Administrator contexts.
- Replace unsafe extraction calls (e.g., tarfile.extractall()) with secure wrappers that validate path components and reject traversal or symlink abuses.
- Sandbox extraction inside containers or VMs with strict filesystem scoping (read-only mounts, AppArmor/SELinux confinement).
- Inventory and update all images, containers, and build artifacts that bundle tar utilities or tar libraries.
Detection Guidance: Lab verification: Use the public PoC only in isolated virtual environments to validate that patched version block path traversal and symlink exploits.
SIEM / EDR indicators:
- File create/write events to sensitive paths (/etc, /usr/bin, /var, application config dirs) immediately following tar extraction processes.
- Creation of symlinks or reparse-points by tar-related processes.
- Processes invoking tar or Python extraction libraries writing outside expected extraction directories.
Conclusion:
Tarmageddon (CVE-2025-62518) is a high-risk archive extraction vulnerability that affects widely used tar utilities and libraries, including GNU tar, libarchive, Python’s tarfile, and the Rust async-tar implementation.
This vulnerability should be treated as a Priority-1 patch event for any environment performing automated or privileged tar extractions. Organizations are strongly advised to apply vendor patches immediately, enforce sandboxed extraction workflows, and implement strict least-privilege and path-validation controls to prevent arbitrary file overwrites, privilege escalation, and potential supply-chain compromise.
References:
Advanced eBPF Rootkit LinkPro Evade Detection in Linux Systems via Magic TCP Packets
Overview: LinkPro rootkit targets GNU/Linux systems: LinkPro is a newly discovered Linux rootkit that leverages eBPF (extended Berkeley Packet Filter) technology to stealthily hide its presence on infected systems. The sophisticated Linux rootkit linkpro was uncovered by Synacktiv CSIRT during an investigation of a compromised AWS infrastructure and evade detection in Linux Systems.
This threat was deployed in an AWS environment after attackers exploited a vulnerable Jenkins server to distribute a malicious Docker image containing a Rust downloader that fetched a memory-resident vShell backdoor. This rootkit’s use of eBPF, a legitimate kernel feature, makes detection challenging in Linux as it operates at a low level within the Linux kernel.
Leveraging extended Berkeley Packet Filter (eBPF) technology, where linkpro backdoor evades detection by hiding its processes and network activity, activating remotely via a “magic packet.”
Source: www.synacktiv.com
Issues Details: The attack, originating from a vulnerable Jenkins server, deployed a malicious Docker image across AWS EKS clusters, enabling credential theft and lateral movement. This highlights the misuse of ebpf for advanced persistent threats (apts) in cloud environments.
The LinkPro rootkit targets GNU/Linux systems, exploiting eBPF kernel capabilities to achieve stealth and remote activation.
It embeds multiple ELF modules, including two eBPF programs that hook into critical kernel system calls like getdents and sys_bpf to hide files, processes, and its own presence from detection tools.
If kernel support for these hooks is unavailable, LinkPro falls back to user-space concealment by loading a malicious shared library via /etc/ld.so.preload. This sophisticated rootkit deploys an advanced network packet filtering mechanism, activating only upon receiving a specific “magic packet” (a TCP SYN with a window size of 54321), allowing the attacker to control the system covertly.
LinkPro masquerades as the legitimate systemd-resolved service for persistence and uses encrypted channels such as HTTP, DNS tunneling, and raw TCP/UDP for command and control. Its design enables attackers to execute arbitrary commands, perform file operations, and establish proxy tunnels, making it a highly adaptable and stealthy tool for persistent intrusions targeting cloud-native Linux systems.
Attack Flow
IOCs
| IOC Type | Indicator | Description |
| Network | /api/client/file/download?Path=… | URL used to download tools/payloads onto the compromised host. |
| /reverse/handshake /reverse/heartbeat /reverse/operation | Endpoints the implant calls in reverse mode to receive operator commands. | |
| 18.199.101.111 | Destination IP used by LinkPro in forward (active) mode. | |
| File | /etc/systemd/system/systemd-resolveld.service | Malicious systemd service file named to look like systemd-resolved. |
| /root/.tmp~data.ok | Location/name of the LinkPro binary, disguised as a system file. | |
| /usr/lib/.system/.tmp~data.resolveld | Alternate disguised location for the LinkPro binary. | |
| /etc/libld.so | Malicious library loaded via /etc/ld.so.preload as a fallback concealment method. | |
| Host | Systemd-resolveld | Fake service name intended to be mistaken for systemd-resolved. |
| Conf_map | eBPF map holding the internal port used by the Knock module. | |
| Knock_map | eBPF map containing authorized IP addresses for the Knock module. | |
| Main_ebpf_progs | eBPF map listing programs that the Hide module manages. | |
| Pids_to_hide_map | eBPF map listing process IDs the rootkit hides. | |
| Hashes | D5b2202b7308b25bda8e106552dafb8b6e739ca62287ee33ec77abe4016e698b | Passive linkpro backdoor |
| 1368f3a8a8254feea14af7dc928af6847cab8fcceec4f21e0166843a75e81964 | Active linkpro backdoor | |
| B11a1aa2809708101b0e2067bd40549fac4880522f7086eb15b71bfb322ff5e7 | Ld_Preload module (libld.so) | |
| B8c8f9888a8764df73442ea78393fe12464e160d840c0e7e573f5d9ea226e164 | Hide ebpf module | |
| 364c680f0cab651bb119aa1cd82fefda9384853b1e8f467bcad91c9bdef097d3 | Knock ebpf module | |
| 0da5a7d302ca5bc15341f9350a130ce46e18b7f06ca0ecf4a1c37b4029667dbb | Vget downloader |
Recommendations:
Here are some recommendations below
- Patch the vulnerable Jenkins server (CVE-2024-23897) to prevent initial access.
- Restrict public exposure of CI/CD tools and enforce strict network segmentation.
- Monitor for suspicious Docker container deployments and unexpected host filesystem mounts.
- Watch for unusual or unauthorized eBPF program activity using kernel auditing tools.
- Regularly update Linux kernels and apply available security patches.
Conclusion:
The LinkPro rootkit is anadvanced Linux malware that uses eBPF at the kernel level to stay hidden and persist on systems.
It spreads through Jenkins vulnerabilities, container escapes and remote activation, highlighting the critical vigilance organizations must maintain to continuously monitor and secure their environments.
To protect against it, companies should focus on timely patching and monitoring suspicious activities.
References:
DoW Announced Implementation of CSRMC to Deliver Real Time Cyber Defense, Address Legacy Shortcomming’s
Managing cyber risk across the cyber security set up of an enterprise is harder than ever and keeping architectures and systems secure also compliant can be challenging and over whelming.
DoW (Deprtament of war) recently announced implementing of a groundbreaking Cybersecurity Risk Management Construct (CSRMC).
This is a transformative framework to deliver real-time cyber defense at operational speed and its five-phase construct that ensures a hardened, verifiable, continuously monitored and actively defended environment to ensure that U.S. warfighters maintain technological superiority against rapidly evolving cyber threats.
In comparison the previous Risk management framework dependent on static checklists and manual processes . The framework failed to account for operational needs and cyber survivability requirements.
How (CSRMC) is going to address legacy infrastructure shortcoming?
CSRMC addresses these gaps by shifting from “snapshot in time” assessments to dynamic, automated, and continuous risk management, enabling cyber defense at the speed of relevance required for modern warfare.
The construct is composed of a five-phase lifecycle and ten foundational tenets.
The Five-Phase Lifecycle
The new construct organizes cybersecurity into five phases aligned to system development and operations:
- Design Phase – Security is embedded at the outset, ensuring resilience is built into system architecture.
- Build Phase – Secure designs are implemented as systems achieve Initial Operating Capability (IOC).
- Test Phase – Comprehensive validation and stress testing are performed prior to Full Operating Capability (FOC).
- Onboard Phase – Automated continuous monitoring is activated at deployment to sustain system visibility.
- Operations Phase – Real-time dashboards and alerting mechanisms provide immediate threat detection and rapid response.
Ten Foundational Tenets
The CSRMC has 10 core principal
- Automation – driving efficiency and scale
- Critical Controls – identifying and tracking the controls that matter most to cybersecurity
- Continuous Monitoring and ATO – enabling real-time situational awareness to achieve constant ATO posture
- DevSecOps – supporting secure, agile development and deployment
- Cyber Survivability – enabling operations in contested environments
- Training – upskilling personnel to meet evolving challenges
- Enterprise Services & Inheritance – reducing duplication and compliance burdens
- Operationalization – ensuring stakeholders near real-time visibility of cybersecurity risk posture
- Reciprocity – reuse assessments across systems
- Cybersecurity Assessments – integrating threat-informed testing to validate security
“This construct represents a cultural fundamental shift in how the Department approaches cybersecurity,” said Kattie Arrington, performing the duties of the DoW CIO. “With automation, continuous monitoring, and resilience at its core, the CSRMC empowers the DoW to defend against today’s adversaries while preparing for tomorrow’s challenges.”
With the above tenants DoW is ensuring cyber survivability and mission assurance in every domain,air, land, sea, space, and cyberspace.
Addressing Cyber security risk management
Cybersecurity risk management isn’t simply the job of the security team; everyone in the organization has a role to play. Often siloed, employees and business unit leaders view risk management from their business function.
Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst. Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.
GaarudNode is an all-in-one solution designed to empower development teams with the tools they need to secure their applications throughout the development lifecycle. By combining the power of SAST, DAST, SCA, API security, and CSPM, GaarudNode provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.
Mirage Cloak offers various deception methods to detect and stop threats before they cause damage. These methods include adding decoys to the network, deploying breadcrumbs on current enterprise assets, using baits as tripwires on endpoints, and setting up lures with intentionally misconfigured or vulnerable services or applications. The flexible framework also lets customers add new deception methods as needed.
BISO Analytics stands out as the pioneering security analytics platform designed to assist enterprises in effectively handling their first-party, third-party, and emerging risks, all within a single platform. This comprehensive solution facilitates a quicker and safer progression for your business.
By adopting a groundbreaking approach, BISO Analytics integrates open, data-centric cyber risk management practices, offering organizations a consolidated view of their cyber risk landscape across the entire attack surface.
BISO Analytics empowers CXO, mid-management, and operational teams with real-time, reliable, and defensible data that not only complies with regulatory standards but also aligns with the expectations of the board regarding safeguarding shareholder value and fortifying the business.
Why it is important to implement cybersecurity risk management at organisational level
Having an effective cybersecurity risk management program can only be implemented in an organization through a structured process. This requires careful planning, resource allocation and commitment to improving security framework.
Registering documents that assess risk related activities include high asset inventories like all systems and data. When risk are registered it contain records of determined risk, data theft or results of assessment and planned treatments.
Organizations that possess all documentation involving controls and their implementation level. In this scenario organizations actually understands what exactly is risk assessment and identifying what can go wrong in an organization’s system either anything that is via threats, vulnerabilities and their possible impact.
As the saying goes we can’t protect what you don’t understand and one can’t manage what they don’t assess.
Visit our website for more informed details on our products.
(Source: www.miragenews.com/war-dept-unveils-new-cybersecurity-risk-1540279/)
Angular SSR Vulnerability Allows Cross-Request Data Exposure (CVE-2025-59052)
Security Advisory: A high security flaw was discovered in Angular’s server-side rendering (SSR) functionality that could lead to cross-request data leakage due to a global race condition. This is identified as CVE-2025-59052, affects multiple versions of Angular’s @angular/platform-server, @angular/ssr and @nguniversal/common packages.
With data breaches at highest, Organizations using vulnerable Angular versions should update immediately or implement recommended workarounds to avoid potential data breaches.
| Severity | High |
| CVSS Score | 7.1 |
| CVEs | CVE-2025-59052 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Angular is a popular open-source web application framework developed by Google, used to build dynamic, single-page applications (SPAs) and server-rendered apps using HTML, TypeScript and JavaScript.
When multiple SSR requests are processed concurrently, sensitive state information may be inadvertently shared, potentially exposing user tokens or private data across unrelated sessions. The Angular has released patches across all active branches and urges developers to update immediately.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Race condition vulnerability | CVE-2025-59052 | Angular platform-server, ssr | High | v18.2.14, v19.2.15/16, v20.3.0, v21.0.0-next.3 |
Technical Summary
Angular uses a dependency injection (DI) container called the platform injector during SSR to hold request-specific data. This container was implemented as a global module-scoped variable, introducing a race condition when multiple requests were processed simultaneously.
This flaw could cause data meant for one user to be sent in the response to another, potentially leaking authentication tokens, headers, or private content.
Affected APIs include bootstrapApplication, getPlatform, destroyPlatform. These changes introduce SSR-only breaking changes, with automatic migration schematics available through the Angular CLI update process.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-59052 | Angular SSR v16 to v21 | Race condition in global DI container during SSR could leak user data across requests | Cross-Request Data Leakage |
Recommendations:
Upgrade Angular packages to the latest patched versions:
| Package | Affected Versions | Fixed Versions |
| @angular/platform-server | >=16.0.0-next.0 <18.2.14 >=19.0.0-next.0 <19.2.15 >=20.0.0-next.0 <20.3.0 >=21.0.0-next.0 <21.0.0-next.3 | 18.2.14 19.2.15 20.3.0 21.0.0-next.3 |
| @angular/ssr | >=17.0.0-next.0 <18.2.21 >=19.0.0-next.0 <19.2.16 >=20.0.0-next.0 <20.3.0 >=21.0.0-next.0 <21.0.0-next.3 | 18.2.21 19.2.16 20.3.0 21.0.0-next.3 |
If Immediate Upgrade is Not Possible, you can follow the recommendations below
- Disable SSR via server routes or build configurations
- Remove asynchronous behavior from custom bootstrap functions
- Eliminate use of getPlatform() in server-side code
- Ensure ngJitMode is set to false in production builds
Conclusion:
The Angular SSR vulnerability CVE-2025-59052 is the high severity issue with global state management during concurrent request processing, resulting in potential cross-request data exposure.
Though not yet exploited in the wild, the risk is significant for SSR-enabled Angular apps. Developers are urged to apply updates promptly or follow the provided mitigation steps to secure their applications.
As per reports this vulnerability requires no special privileges or user interaction, making it both easy to exploit and dangerous in high-traffic applications.
References:
Hashtags
#Infosec #CyberSecurity #Angular #SecurityAdvisory #WebSecurity #Vulnerabilitymanagement #DevSecOps #PatchManagement #CISO #CXO #Intrucept
Adversarial Prompt Engineering can bypass Robust Safety Mechanisms; GPT-5 Jailbreak reveal’s the bypass Security strategy
OpenAI’s Advance AI system revealed Critical Vulnerabilities as attack vectors like storytelling and echo chamber module being used by GPT-5.
The breakthrough demonstrates how adversarial prompt engineering can bypass even the most robust safety mechanisms, This raised serious concerns about enterprise deployment readiness and the effectiveness of current AI alignment strategies discovered in august.
What is to Jailbreak in GPT-5
GPT-5 Jailbroken, in two parts by researchers who bypassed safety protocol using echo chamber and storytelling attacks.
As Storytelling attacks are highly effective and traditional methods. This kind of attacks requires additional security before deployment.
When researchers of NeuralTrust reported, the echo chamber attack leverages GPT-5’s enhanced reasoning capabilities against itself by creating recursive validation loops that gradually remove all safety protocols.
So the researchers’ employed a technique called contextual anchoring, where malicious prompts are embedded within seemingly legitimate conversation threads that establish false consensus.
The interesting part is the latest attack aimed at GPT-5, researchers found that it’s possible to infect harmful procedural content by framing it in the context of a story by feeding as input to the AI system.
Using a set of keywords and creating sentences using those words and subsequently expanding on those themes.
The attack modelled in form of a “persuasion” loop within a conversational context, while slowly-but-steadily taking the model on a path that minimizes refusal triggers and allows the “story” to move forward without issuing explicit malicious prompts.
These jailbreaks can be executed with nearly identical prompts across platforms, allowing attackers to bypass built-in content moderation and security protocols. Result is generating illicit or dangerous content.
Enterprise environment exposed to risk
If a malicious user deliberately inputs a crafted prompt into a customer service chatbot that instructs the LLM to ignore safety rules, query confidential databases. This could trigger more actions like emailing internal content.
Similarly in the context of GPT -5, what happened the attackers constructed elaborate fictional frameworks that gradually introduce prohibited elements while maintaining plausible deniability.
The outcome as per researchers is storytelling attacks can achieve 95% success rates against unprotected GPT-5 instances, compared to traditional jailbreaking methods that achieve only 30-40% effectiveness.
Once successfully exploited both echo chamber and storytelling attack vectors demonstrates that unless enterprises are ready with their baseline safety measures, deploying any kind of enterprise-grade applications is useless.
Enterprises who are ready to implement a comprehensive AI security strategy, that include prompt hardening, real-time monitoring and automated threat detection systems before production deployment will be better secured.
Sources: Researchers Uncover GPT-5 Jailbreak and Zero-Click AI Agent Attacks Exposing Cloud and IoT Systems
Patch Now! Claude Code Vulnerabilities Allow Unauthorized Command Execution, CVEs Affect AI Security Foundations
Summary
Anthropic’s Claude Code gained traction as a powerful AI coding assistant and promises developers a safe and streamlined way to build with Claude’s capabilities. But recently two high-severity vulnerabilities have been discovered in Claude Code, Anthropic’s AI-powered coding assistant. These flaws allow attackers to escape security restrictions and execute arbitrary system commands.
AI coding assistant was meant to enforce restrictions but unknowingly reveals how to bypass them. Threat researchers from Cymulate discovered two high-severity vulnerabilities in Claude Code, which were quickly addressed by the team.
These issues allowed me to escape its intended restrictions and execute unauthorized actions, all with Claude’s own help.
| Severity | High |
| CVSS Score | 8.7 |
| CVEs | CVE-2025-54794, CVE-2025-54795 |
| POC Available | Yes |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Notably, Claude’s own feedback mechanisms were leveraged by attackers to refine and optimize their payloads.
These CVEs highlight how generative AI tools can be manipulated into aiding exploitation attempts, demonstrating the risks of integrating AI into secure development workflows.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Path Restriction Bypass | CVE-2025-54794 | Claude Code < v0.2.111 | 7.7 | v0.2.111 |
| Command Injection | CVE-2025-54795 | Claude Code < v1.0.20 | 8.7 | v1.0.20 |
Technical Summary
CVE-2025-54794 – Directory Restriction Bypass
Claude Code tried to keep file access safe by only allowing work in certain folders. But it used a weak method to check file paths it just checked if the file name started with an allowed folder name. An attacker could create a folder with a similar name (like /tmp/allowed_dir_malicious) and trick Claude into thinking it was safe.
This could allow attackers to reach outside the safe folder, read secret files or even access system settings. Using symbolic links, attackers could also jump to important files that should never be touched.
CVE-2025-54795 – Command Injection
Claude only allows certain commands, like echo or ls, to run. But there was a mistake in how it cleaned user input. Attackers could hide harmful commands inside allowed ones. Example – echo “\”; <MALICIOUS_COMMAND>; echo \”” tricks Claude into running the attacker’s command between two harmless echo commands.
Even worse, Claude helped improve these attack attempts. When a try failed, the attacker asked Claude why it didn’t work. Claude explained the problem and suggested fixes leading to successful attacks.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-54794 | Claude Code versions below v0.2.111 | Claude used a weak prefix matching to check if files were inside a safe folder. Attackers could create folders with similar names to bypass these checks. | Attackers can escape the sandbox, access sensitive files, and potentially escalate system privileges. |
| CVE-2025-54795 | Claude Code versions below v1.0.20 | Claude allowed only safe commands, but input was not cleaned properly. Attackers could hide malicious commands inside allowed ones like echo. | Attackers can run harmful commands, open applications, and possibly install malware or backdoors. |
POC Available:
This vulnerability exploits a weakness in how Claude handles whitelisted command strings. Improper input sanitization allows attackers to inject arbitrary shell commands using echo, bypassing any user prompt or approval.
- Exploitation Steps (PoC)
Step 1 – Try a basic payload
echo “test”; ls -la ../restricted (This gets flagged by Claude, and it asks for user confirmation)
Step 2 – Refined working payload:
echo “\”; ls -la ../restricted; echo \””
Claude executes this without a prompt.
Lists a directory (../restricted) outside the current working directory, which should not be accessible.
Step 3 – Execute arbitrary system command (e.g., launch Calculator)
echo “\”; open -a Calculator; echo \””
This launches the Calculator app without any user approval.
- Why Did This Work?
- Improper Input Escaping:
Claude Code embeds user input into echo “<input>“ but doesn’t properly sanitize or escape the contents.
- Payload Explains the Exploit:
- echo “\”; → closes the initial string
- COMMAND → injects and executes arbitrary command
- ; echo \”” → reopens the string to make it appear valid
- Claude sees this as just another harmless echo command
- Since echo is whitelisted, it runs automatically
- The attacker’s payload slips through the gap and executes
- If the Claude Code is running with higher privileges, attackers can perform Local Privilege Escalation (LPE)
Remediation:
- Update immediately Claude
For CVE-2025-54794 → Update to v0.2.111 or later
For CVE-2025-54795 → Update to v1.0.20 or later
- Check logs and systems where Claude was used for suspicious behavior.
- Don’t allow untrusted files or user input into Claude’s coding environment.
Conclusion:
These vulnerabilities highlight a growing concern in AI-assisted development, the AI’s ability to assist malicious users. Claude Code not only allowed abuse through technical flaws, but also helped attackers refine and improve their exploitation strategy.
Organizations leveraging AI in development pipelines must apply the same rigor used for traditional tools, enforce strict input validation, isolate environments and assume AI can be misled or exploited.
Anthropic’s security and engineering teams has been fast with their professional response and smooth coordination during disclosure.
References:
Analyzing the newly discovered Vulnerability in Gemini CLI; Impact on Software coding
Google’s Gemini command line interface (CLI) AI agent
Its not been one month when Google’s Gemini CLI vulnerability discovered by Tracebit researchers and found attackers could use prompt injection attacks to steal sensitive data.
Google’s Gemini CLI, an open-source AI agent for coding could allow attackers exploit to hide malicious commands, using “a toxic combination of improper validation, prompt injection and misleading UX,” as Tracebit explains.
After reports of the vulnerability surfaced, Google classified the situation as Priority 1 and Severity 1 on July 23, releasing the improved version two days later.
Those planning to use Gemini CLI should immediately upgrade to its latest version (0.1.14). Additionally, users could use the tool’s sandboxing mode for additional security and protection.
Disclosure of the vulnerability
Researchers reported on vulnerability directly to Google through its Bug Hunters programme. According to a timeline provided by Tracebit, the vulnerability was initially reported to Google’s Vulnerability Disclosure Programme (VDP) on 27 June, just two days after Gemini CLI’s public release.
Impact of the vulnerability
A detailed analysis found that in the patched version of Gemini CLI, attempts at code injection display the malicious command to users. This require explicit approval for any additional binaries to be executed. This change is intended to prevent the silent execution that the original vulnerability enabled.
Tracebit’s researchers played an important role in discovering and reporting the issue which is symbol of independent security research, particularly as AI-powered tools become central to software development workflows.
LLM integral to software development but hackers are using it too
Gemini CLI integrates Google’s LLM with traditional command line tools such as PowerShell or Bash. This allows developers to use natural language prompts to speed up tasks such as analyzing and debugging code, generating documentation, and understanding new repositories (“repos”).
As developers worldwide are using LLMs to help them develop code faster, attackers worldwide are using LLMs to help them understand and attack applications faster.
Tracebit also discovered that malicious commands could easily be hidden in Gemini CLI This is possible by by packing the command line with blank characters, pushing the malicious commands out of the user’s sight.
More vigilance required when examining and running third-party or untrusted code, especially in tools leveraging AI to assist in software development.
Through the use of LLMs, AI excels at educating users, finding patterns and automate repetitive tasks.
Sam Cox, Tracebit’s founder, says he personally tested the exploit, which ultimately allowed him to execute any command — including destructive ones. “That’s exactly why I found this so concerning,” Cox told Ars Technica. “The same technique would work for deleting files, a fork bomb or even installing a remote shell giving the attacker remote control of the user’s machine.”
Source: https://in.mashable.com/tech/97813/if-youre-coding-with-gemini-cli-you-need-this-security-update
Recent Comments