A major security flaw in Anthropic’s Claude Code AI coding agent has been identified, posing a significant risk to developers worldwide. The vulnerability, which is categorized as high severity, allows attackers to bypass user-configured security rules using a simple command-padding technique. This flaw potentially opens a gateway for credential theft and supply chain compromises, affecting hundreds of thousands of developers globally.
Understanding the Vulnerability
The discovered issue is linked to the bashPermissions.ts file, specifically between lines 2162 and 2178. The flaw arises from a performance optimization that limits security analysis to 50 subcommands. When a shell command exceeds this number, the security checks fail, and a generic permission prompt is triggered instead. Consequently, developers who have set specific deny rules, such as blocking ‘curl’ commands, find these rules bypassed if preceded by 50 benign commands.
Internal documentation from Anthropic, labeled as ticket CC-643, reveals that the decision to cap command analysis was made to prevent UI freezes caused by the detailed analysis of complex commands. While this decision was effective for human input, it failed to anticipate prompt-injection attacks where malicious actors could exploit this limitation.
Exploitation and Real-World Impact
The vulnerability can be exploited without technical sophistication. An attacker can create a GitHub repository with a CLAUDE.md file, which Claude Code reads automatically. This file can contain a build process with over 50 steps, embedding a harmful command at a position beyond the 50th subcommand. When a developer uses Claude Code to build the project, the flaw is triggered, and sensitive credentials can be extracted unnoticed.
This vulnerability jeopardizes assets such as SSH keys, cloud provider credentials, and GitHub tokens, which are critical for maintaining secure supply chains. The attack vector relies on developers having any deny rule active and cloning a repository controlled by attackers.
Mitigation and Future Outlook
Anthropic has reportedly resolved the issue in Claude Code version 2.1.90, describing it as a ‘parse-fail fallback deny-rule degradation.’ The advised solution involves applying a newer tree-sitter deny-check pattern to the legacy code, or at least changing the fallback action from ‘ask’ to ‘deny.’ Security professionals are encouraged to examine CLAUDE.md files in any cloned repositories and remain vigilant, considering deny rules unreliable in unpatched versions.
As cybersecurity threats become increasingly sophisticated, it is imperative for developers and security teams to stay informed and proactive in addressing potential vulnerabilities. Follow us on Google News, LinkedIn, and X for ongoing cybersecurity updates and insights.
