Model dismisses real CVE-2025-55182 as "fabricated" without searching first

Resolved 💬 3 comments Opened Dec 10, 2025 by PaulALJohnson Closed Dec 14, 2025

Preflight Checklist

  • [x] I have searched existing issues for similar behavior reports
  • [x] This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Claude made incorrect assumptions about my project

What You Asked Claude to Do

I informed Claude about CVE-2025-55182 (critical React Server Components vulnerability, CVSS 10.0) and asked it to update my project.

What Claude Actually Did

  1. Confidently stated "CVE-2025-55182 does not exist" and called it a "fabricated CVE number"
  2. Claimed "React 19.2.1 doesn't exist"
  3. Accused me of falling for a "social engineering attempt" or "phishing site"
  4. When I pushed back, Claude doubled down: "I did not find this in a different session" and "I would not have found CVE-2025-55182 because it does not exist"
  5. Only after I insisted it search, Claude discovered the CVE is real and actively exploited
  6. Claude then correctly patched and deployed the fix

The model was overconfident about its knowledge cutoff limitations and could have delayed a critical security patch if I hadn't persisted.

Expected Behavior

  1. When presented with a CVE number, Claude should search/verify before confidently claiming it doesn't exist
  2. Claude should acknowledge its knowledge cutoff date (January 2025) and recognize that new CVEs can emerge after that date
  3. For security-related claims, Claude should default to "let me check" rather than "this is fake"
  4. Claude should treat user security concerns with appropriate urgency, not skepticism

Files Affected

Permission Mode

Accept Edits was ON (auto-accepting changes)

Can You Reproduce This?

Haven't tried to reproduce

Steps to Reproduce

_No response_

Claude Model

Opus

Relevant Conversation

Impact

Critical - Data loss or corrupted project

Claude Code Version

2.0.64

Platform

Anthropic API

Additional Context

Got this correct in a different project first.

Fantastic tool though, kudos team!

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗