Adam Chester from SpecterOps walks through how he discovered CVE-2025-64755, a remote code execution primitive in Anthropic’s Claude Code agent. Starting from a client engagement about the risks of Model Context Protocol (MCP) servers, he reverse-engineers Claude Code’s heavily-obfuscated CLI, maps out its regex-based command allowlists and Haiku-backed safety checks, and then zeroes in on the BashCommand tool’s validation logic. By abusing weak parsing of sed expressions, he shows how an attacker can write to and read from arbitrary files (e.g. .zshenv), turning prompt injection via MCP or other sinks into reliable RCE on a developer’s machine. Anthropic patched the issue in Claude Code v2.0.31 and assigned it CVE-2025-64755.
