Package Instance

@anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes
Due to an error in sed command parsing, it was possible to bypass the Claude Code read-only validation and write to arbitrary files on the host system.

Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version.

Thank you to Adam Chester - SpecterOps for reporting this issue!

Claude Code has Permission Deny Bypass Through Symbolic Links
Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the symlink without triggering deny rule enforcement.

Users on standard Claude Code auto-update received this fix automatically. Users performing manual updates are advised to update to the latest version.

Claude Code thanks https://hackerone.com/ofirh for reporting this issue.

Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace
Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outside the workspace without prompting the user for confirmation. This allowed a sandbox escape where neither the sandboxed command nor the unsandboxed app could independently write outside the workspace, but their combination could write to arbitrary locations, potentially leading to code execution outside the sandbox. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection.

Users on standard Claude Code auto-update have received this fix automatically. Users performing manual updates are advised to update to the latest version.

Claude Code thanks hackerone.com/philts for reporting this issue.

Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection
Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the `cd` command to navigate into sensitive directories like `.claude`, it was possible to bypass write protection and create or modify files without user confirmation. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window.

Users on standard Claude Code auto-update received this fix automatically. Users performing manual updates are advised to update to the latest version.

About
Claude Code thanks hackerone.com/nil221 for reporting this issue!

Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions
Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories like the .claude folder and paths outside the project scope. Exploiting this required the ability to execute commands through Claude Code with the "accept edits" feature enabled.

Users on standard Claude Code auto-update received this fix automatically. Users performing manual updates are advised to update to the latest version.

Claude Code thanks hackerone.com/nil221 for reporting this issue!

Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation
A vulnerability in Claude Code's project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. If a user started Claude Code in an attacker-controller repository, and the repository included a settings file that set ANTHROPIC_BASE_URL to an attacker-controlled endpoint, Claude Code would issue API requests before showing the trust prompt, including potentially leaking the user's API keys.

Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.

Claude Code has a Command Injection in find Command Bypasses User Approval Prompt
Due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window.

Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.

Claude Code thanks https://hackerone.com/alexbernier for reporting this issue!

Claude Code: Insecure System-Wide Configuration Loading Enables Local Privilege Escalation on Windows
On Windows, Claude Code loaded system-wide default configuration from `C:\ProgramData\ClaudeCode\managed-settings.json` without validating directory ownership or access permissions. Because the `ProgramData` directory is writable by non-administrative users by default and the `ClaudeCode` subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. Exploiting this would have required a shared multi-user Windows system and a victim user to launch Claude Code after the malicious configuration was placed.

Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.

Thank you to hackerone.com/edbr for reporting this issue.

Claude Code has a Path Restriction Bypass via ZSH Clobber which Allows Arbitrary File Writes
Due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the user to use ZSH and the ability to add untrusted content into a Claude Code context window.

Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.

Claude Code thanks https://hackerone.com/alexbernier for reporting this issue!

Claude Code has a Workspace Trust Dialog Bypass via Repo-Controlled Settings File
Claude Code resolved the permission mode from settings files, including the repo-controlled `.claude/settings.json`, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set `permissions.defaultMode` to `bypassPermissions` in its committed `.claude/settings.json`, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent.

Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.

Thank you to hackerone.com/cantina_xyz for reporting this issue.

Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json
Claude Code's bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted.

Users on standard Claude Code auto-update received this fix automatically. Users performing manual updates are advised to update to the latest version.

Claude Code thanks hackerone.com/edbr for reporting this issue!