CVE-2025-59829
Claude Code: Permission deny bypass is possible through symlink
In short
Claude Code could bypass file access restrictions by using symbolic links (shortcuts) to reach files that were supposed to be blocked. This means if you denied the tool access to a file, it could still read it through a shortcut pointing to that file.
Technical detail
CWE-61 (Improper Validation of Symlink Resolution) in Claude Code versions <1.0.120: the permission deny mechanism failed to resolve and validate symlink targets, allowing an attacker with symlink creation capability to access restricted files indirectly. Mitigation requires following symlinks during permission checks or denying symlink traversal entirely.
Summary generated and translated by AI from the official description.
Claude Code is an agentic coding tool. Versions below 1.0.120 failed to account for symlinks when checking permission deny rules. If a user explicitly denied Claude Code access to a file and Claude Code had access to a symlink pointing to that file, it was possible for Claude Code to access the file. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version. This issue is fixed in version 1.0.120.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
anthropics · claude-codeWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →