Description
Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.81.0, the local filesystem memory tool in the Anthropic TypeScript SDK validated model-supplied paths using a string prefix check that did not append a trailing path separator. A model steered by prompt injection could supply a crafted path that resolved to a sibling directory sharing the memory root's name as a prefix, allowing reads and writes outside the sandboxed memory directory. This issue has been patched in version 0.81.0.
Published: 2026-03-31
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file access
Action: Patch Now
AI Analysis

Impact

The vulnerability exists in the memory tool of the Anthropic TypeScript SDK. The SDK validates model supplied paths with a string prefix check that fails to enforce a trailing separator, enabling a crafted path to resolve to a sibling directory of the sandboxed memory root. This allows an attacker who can influence the model’s prompt to read or write files outside the intended sandbox, potentially leaking sensitive data or modifying configuration files. The weakness corresponds to path traversal and restricted resource access.

Affected Systems

The issue affects the anthropic-sdk-typescript library released by Anthropic. Versions from 0.79.0 up to, but not including, 0.81.0 are vulnerable. Version 0.81.0 and later contain the fix. The vulnerability is active in server‑side TypeScript or JavaScript applications that use the SDK.

Risk and Exploitability

The CVSS score of 6.3 classifies the exploitability as moderate. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a model that can be steered through prompt injection to provide a malicious path, so attackers need access to the model and the ability to craft prompts that result in the malicious path. If such conditions are met, the attacker can read and write arbitrary files within sibling directories, jeopardizing confidentiality and integrity. The overall risk is therefore moderate, with higher priority for environments where model prompts are not strictly controlled.

Generated by OpenCVE AI on April 1, 2026 at 06:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the anthropic-sdk-typescript library to version 0.81.0 or newer.
  • If an upgrade cannot be performed immediately, restrict or sanitize model prompts to prevent prompt injection that could supply malicious paths.
  • Monitor application logs for unexpected file read or write operations near the memory sandbox boundary.

Generated by OpenCVE AI on April 1, 2026 at 06:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5474-4w2j-mq4c Claude SDK for TypeScript: Memory Tool Path Validation Allows Sandbox Escape to Sibling Directories
History

Mon, 20 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Anthropic
Anthropic claude Sdk For Typescript
CPEs cpe:2.3:a:anthropic:claude_sdk_for_typescript:*:*:*:*:*:*:*:*
Vendors & Products Anthropic
Anthropic claude Sdk For Typescript
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Anthropics
Anthropics anthropic-sdk-typescript
Vendors & Products Anthropics
Anthropics anthropic-sdk-typescript

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.81.0, the local filesystem memory tool in the Anthropic TypeScript SDK validated model-supplied paths using a string prefix check that did not append a trailing path separator. A model steered by prompt injection could supply a crafted path that resolved to a sibling directory sharing the memory root's name as a prefix, allowing reads and writes outside the sandboxed memory directory. This issue has been patched in version 0.81.0.
Title Claude SDK for TypeScript: Memory Tool Path Validation Allows Sandbox Escape to Sibling Directories
Weaknesses CWE-22
CWE-41
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Anthropic Claude Sdk For Typescript
Anthropics Anthropic-sdk-typescript
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T18:57:05.442Z

Reserved: 2026-03-27T18:18:14.895Z

Link: CVE-2026-34451

cve-icon Vulnrichment

Updated: 2026-04-01T18:56:56.979Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T22:16:20.167

Modified: 2026-04-20T14:47:27.887

Link: CVE-2026-34451

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:21Z

Weaknesses