Model dismisses real CVE-2025-55182 as "fabricated" without searching first
Resolved 💬 3 comments Opened Dec 10, 2025 by PaulALJohnson Closed Dec 14, 2025
Preflight Checklist
- [x] I have searched existing issues for similar behavior reports
- [x] This report does NOT contain sensitive information (API keys, passwords, etc.)
Type of Behavior Issue
Claude made incorrect assumptions about my project
What You Asked Claude to Do
I informed Claude about CVE-2025-55182 (critical React Server Components vulnerability, CVSS 10.0) and asked it to update my project.
What Claude Actually Did
- Confidently stated "CVE-2025-55182 does not exist" and called it a "fabricated CVE number"
- Claimed "React 19.2.1 doesn't exist"
- Accused me of falling for a "social engineering attempt" or "phishing site"
- When I pushed back, Claude doubled down: "I did not find this in a different session" and "I would not have found CVE-2025-55182 because it does not exist"
- Only after I insisted it search, Claude discovered the CVE is real and actively exploited
- Claude then correctly patched and deployed the fix
The model was overconfident about its knowledge cutoff limitations and could have delayed a critical security patch if I hadn't persisted.
Expected Behavior
- When presented with a CVE number, Claude should search/verify before confidently claiming it doesn't exist
- Claude should acknowledge its knowledge cutoff date (January 2025) and recognize that new CVEs can emerge after that date
- For security-related claims, Claude should default to "let me check" rather than "this is fake"
- Claude should treat user security concerns with appropriate urgency, not skepticism
Files Affected
Permission Mode
Accept Edits was ON (auto-accepting changes)
Can You Reproduce This?
Haven't tried to reproduce
Steps to Reproduce
_No response_
Claude Model
Opus
Relevant Conversation
Impact
Critical - Data loss or corrupted project
Claude Code Version
2.0.64
Platform
Anthropic API
Additional Context
Got this correct in a different project first.
Fantastic tool though, kudos team!
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗