{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34451", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T18:18:14.895Z", "datePublished": "2026-03-31T21:35:21.018Z", "dateUpdated": "2026-04-01T18:57:05.442Z"}, "containers": {"cna": {"title": "Claude SDK for TypeScript: Memory Tool Path Validation Allows Sandbox Escape to Sibling Directories", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-41", "lang": "en", "description": "CWE-41: Improper Resolution of Path Equivalence", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/anthropics/anthropic-sdk-typescript/security/advisories/GHSA-5474-4w2j-mq4c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/anthropics/anthropic-sdk-typescript/security/advisories/GHSA-5474-4w2j-mq4c"}, {"name": "https://github.com/anthropics/anthropic-sdk-typescript/commit/0ac69b3438ee9c96b21a7d3c39c07b7cdb6995d9", "tags": ["x_refsource_MISC"], "url": "https://github.com/anthropics/anthropic-sdk-typescript/commit/0ac69b3438ee9c96b21a7d3c39c07b7cdb6995d9"}, {"name": "https://github.com/anthropics/anthropic-sdk-typescript/releases/tag/sdk-v0.81.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/anthropics/anthropic-sdk-typescript/releases/tag/sdk-v0.81.0"}], "affected": [{"vendor": "anthropics", "product": "anthropic-sdk-typescript", "versions": [{"version": ">= 0.79.0, < 0.81.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T21:35:21.018Z"}, "descriptions": [{"lang": "en", "value": "Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.81.0, the local filesystem memory tool in the Anthropic TypeScript SDK validated model-supplied paths using a string prefix check that did not append a trailing path separator. A model steered by prompt injection could supply a crafted path that resolved to a sibling directory sharing the memory root's name as a prefix, allowing reads and writes outside the sandboxed memory directory. This issue has been patched in version 0.81.0."}], "source": {"advisory": "GHSA-5474-4w2j-mq4c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T18:56:48.666585Z", "id": "CVE-2026-34451", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:57:05.442Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34451", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T18:56:48.666585Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:56:56.979Z"}}], "cna": {"title": "Claude SDK for TypeScript: Memory Tool Path Validation Allows Sandbox Escape to Sibling Directories", "source": {"advisory": "GHSA-5474-4w2j-mq4c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "anthropics", "product": "anthropic-sdk-typescript", "versions": [{"status": "affected", "version": ">= 0.79.0, < 0.81.0"}]}], "references": [{"url": "https://github.com/anthropics/anthropic-sdk-typescript/security/advisories/GHSA-5474-4w2j-mq4c", "name": "https://github.com/anthropics/anthropic-sdk-typescript/security/advisories/GHSA-5474-4w2j-mq4c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/anthropics/anthropic-sdk-typescript/commit/0ac69b3438ee9c96b21a7d3c39c07b7cdb6995d9", "name": "https://github.com/anthropics/anthropic-sdk-typescript/commit/0ac69b3438ee9c96b21a7d3c39c07b7cdb6995d9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/anthropics/anthropic-sdk-typescript/releases/tag/sdk-v0.81.0", "name": "https://github.com/anthropics/anthropic-sdk-typescript/releases/tag/sdk-v0.81.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.81.0, the local filesystem memory tool in the Anthropic TypeScript SDK validated model-supplied paths using a string prefix check that did not append a trailing path separator. A model steered by prompt injection could supply a crafted path that resolved to a sibling directory sharing the memory root's name as a prefix, allowing reads and writes outside the sandboxed memory directory. This issue has been patched in version 0.81.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-41", "description": "CWE-41: Improper Resolution of Path Equivalence"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T21:35:21.018Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34451", "state": "PUBLISHED", "dateUpdated": "2026-04-01T18:57:05.442Z", "dateReserved": "2026-03-27T18:18:14.895Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T21:35:21.018Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.81.0, the local filesystem memory tool in the Anthropic TypeScript SDK validated model-supplied paths using a string prefix check that did not append a trailing path separator. A model steered by prompt injection could supply a crafted path that resolved to a sibling directory sharing the memory root's name as a prefix, allowing reads and writes outside the sandboxed memory directory. This issue has been patched in version 0.81.0."}], "id": "CVE-2026-34451", "lastModified": "2026-04-01T14:23:37.727", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T22:16:20.167", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/anthropics/anthropic-sdk-typescript/commit/0ac69b3438ee9c96b21a7d3c39c07b7cdb6995d9"}, {"source": "security-advisories@github.com", "url": "https://github.com/anthropics/anthropic-sdk-typescript/releases/tag/sdk-v0.81.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/anthropics/anthropic-sdk-typescript/security/advisories/GHSA-5474-4w2j-mq4c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-41"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.79.0,0.81.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "anthropic-sdk-typescript", "source": "cna", "vendor": "anthropics"}, "product": "anthropic-sdk-typescript", "vendor": "anthropics"}], "analysis": {"en": {"generated_at": "2026-04-01T06:04:10.779245+00:00", "value": {"mitigation_remediation": ["Update the anthropic-sdk-typescript library to version 0.81.0 or newer.", "If an upgrade cannot be performed immediately, restrict or sanitize model prompts to prevent prompt injection that could supply malicious paths.", "Monitor application logs for unexpected file read or write operations near the memory sandbox boundary."], "summary": {"action": "Patch Now", "impact": "Unauthorized file access"}, "threat_synthesis": {"affected_systems": "The issue affects the anthropic-sdk-typescript library released by Anthropic. Versions from 0.79.0 up to, but not including, 0.81.0 are vulnerable. Version 0.81.0 and later contain the fix. The vulnerability is active in server\u2011side TypeScript or JavaScript applications that use the SDK.", "description_and_impact": "The vulnerability exists in the memory tool of the Anthropic TypeScript SDK. The SDK validates model supplied paths with a string prefix check that fails to enforce a trailing separator, enabling a crafted path to resolve to a sibling directory of the sandboxed memory root. This allows an attacker who can influence the model\u2019s prompt to read or write files outside the intended sandbox, potentially leaking sensitive data or modifying configuration files. The weakness corresponds to path traversal and restricted resource access.", "risk_and_exploitability": "The CVSS score of 6.3 classifies the exploitability as moderate. EPSS is not available and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires a model that can be steered through prompt injection to provide a malicious path, so attackers need access to the model and the ability to craft prompts that result in the malicious path. If such conditions are met, the attacker can read and write arbitrary files within sibling directories, jeopardizing confidentiality and integrity. The overall risk is therefore moderate, with higher priority for environments where model prompts are not strictly controlled."}}}}, "created": "2026-04-02T07:52:06.227468+00:00", "updated": "2026-04-02T20:10:21.125500+00:00", "vendors": ["anthropics", "anthropics$PRODUCT$anthropic-sdk-typescript"]}