PT-2026-29379 · Anthropic · Claude Sdk For Typescript

Nicksim

Published

2026-03-31

Updated

2026-04-01

CVE-2026-34451

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Claude SDK for TypeScript versions 0.79.0 through 0.80.9

Description The Claude SDK for TypeScript, used for accessing the Claude API in TypeScript and JavaScript applications, had a flaw in the local filesystem memory tool. Between versions 0.79.0 and before 0.81.0, the path validation process used a string prefix check that lacked a trailing path separator. This allowed a crafted path, supplied through prompt injection, to resolve to a directory outside the intended sandbox, potentially enabling unauthorized read and write access.

Recommendations Update to version 0.81.0 or later.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-41

Related Identifiers

CVE-2026-34451

GHSA-5474-4W2J-MQ4C

Affected Products

Claude Sdk For Typescript

PT-2026-29379 · Anthropic · Claude Sdk For Typescript

CVE-2026-34451

Weakness Enumeration

Related Identifiers

Affected Products

References · 9