Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.81.0, the local filesystem memory tool in the Anthropic TypeScript SDK validated model-supplied paths using a string prefix check that did not append a trailing path separator. A model steered by prompt injection could supply a crafted path that resolved to a sibling directory sharing the memory root's name as a prefix, allowing reads and writes outside the sandboxed memory directory.
This issue has been patched in version 0.81.0.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v4.0
Weakness Type (CWE)
References 3
https://github.com/anthropics/anthropic-sdk-typescript/commit/0ac69b3438ee9c96b…
security-advisories@github.com
https://github.com/anthropics/anthropic-sdk-typescript/releases/tag/sdk-v0.81.0
security-advisories@github.com
https://github.com/anthropics/anthropic-sdk-typescript/security/advisories/GHSA…
security-advisories@github.com