An alarming vulnerability in Claude Code’s GitHub Actions has been uncovered, potentially allowing attackers to infiltrate any repository utilizing Anthropic’s CI/CD workflow. This flaw was identified by security expert RyotaK from GMO Flatt Security and has since been patched in version 1.0.94 of Claude Code GitHub Actions.
The Nature of the Vulnerability
The vulnerability originated from a flawed permission model in the checkWritePermissions function of Claude Code GitHub Actions. This flaw, combined with prompt injection techniques, allowed unauthorized attackers to extract secrets, steal OIDC tokens, and insert malicious code into any repository relying on the affected workflow. The checkWritePermissions function mistakenly trusted any actor ending with [bot], irrespective of their actual permissions.
Attackers exploited this by utilizing GitHub Apps, which inherently have read access to public repositories. By creating issues or pull requests using only an installation token, attackers could bypass permission controls entirely, posing a significant security risk.
Executing the Attack
The attack sequence involved creating a malicious GitHub App, installing it on a controlled repository, and using its installation token to initiate an issue or pull request on the target repository. This process exploited the flawed permission logic, allowing the attacker’s content to be processed as legitimate.
Once inside, attackers could use prompt injection to execute commands, exploiting the fact that Claude Code permits certain Bash commands without explicit approval. This allowed access to sensitive environment variables, including those needed to request OIDC tokens, leading to the potential compromise of repository contents and workflows.
Mitigation and Future Implications
Anthropic has addressed these vulnerabilities in Claude Code GitHub Actions version 1.0.94. Key fixes include adding checks for human actors, disabling the workflow run summary by default, and removing sensitive environment variables from child processes.
Additionally, measures were implemented to prevent workflow chaining attacks, such as ignoring post-trigger edits and validating command arguments. The CVSS v4.0 score for these vulnerabilities was rated at 7.8, and a bounty was awarded to the researcher.
For users still employing Claude Code GitHub Actions, it is advised to audit workflows using allowed_non_write_users and restrict exposed secrets. Reviewing workflow logs for any signs of compromise is also recommended to ensure continued security.
As the digital landscape evolves, maintaining vigilant security practices is crucial to protect against similar vulnerabilities. Users are encouraged to stay informed through resources like the OWASP API Top 10 and webinars on improving visibility with WAAP.
