Critical Claude Code Vulnerability Discovered After Source Code Leak

Shortly after an accidental source code leak, a critical vulnerability was discovered in the AI coding agent Claude Code. It allows attackers to bypass security rules and steal sensitive data such as SSH keys from developers' machines.

On March 31, Anthropic, the company behind the Claude AI, accidentally put a large portion of the code behind the Claude Code coding agent online. The source code became accessible through the accidental publication of a so-called source map, a file that translates compiled program code back into a human-readable form, on npm, a package manager for JavaScript. As a result, researchers were able to reconstruct the code of the AI agent.

The result amounts to around 512,000 lines of TypeScript, a programming language built on JavaScript that adds additional typing. Although no model weights or customer data were directly exposed, the leak provides a detailed blueprint of how the tool works. This makes it easier for potential attackers to identify targeted vulnerabilities or create highly convincing copies of the program that could spread malware.

In this context, the team at Adversa AI discovered a critical security flaw in Claude Code's permission system. Claude Code is a terminal-based assistant that works directly in the command line and can edit files as well as execute shell commands. To maintain security, the tool uses a system of permission rules. Users can define so-called deny rules that strictly block certain commands, for example the command "curl," which is used to transfer data over a network. Other commands such as "git" for version control can, by contrast, be explicitly allowed.

The discovered vulnerability lies in the handling of complex command chains. To avoid performance issues and UI freezes, Anthropic limits its detailed security analysis to a maximum of 50 subcommands. If a command chain is longer, the individual checks are skipped and a general prompt is shown to the user asking whether the command should be executed.

This behavior can be exploited through so-called prompt injection. In this type of attack, an attacker manipulates the inputs to the AI in order to bypass its security filters. Specifically, an attacker could place a manipulated file named "CLAUDE.md" in a public software repository. This file contains instructions for the AI agent. If a developer clones the repository and asks the agent to build the project, the AI could be instructed to execute a chain of more than 50 seemingly legitimate commands.

Starting with the 51st command, the individually configured deny rules no longer apply. While a single "curl" command would be blocked, it is ignored when embedded in a long chain. This allows attackers to send sensitive data such as SSH keys, cryptographic keys used for secure remote access to servers, or cloud credentials from the developer's local machine to an external server in the background. Because the system in this case only requests a general confirmation, the user does not notice that their security policies have effectively been overridden.

Particularly notable is that the leaked source code for version 2.1.88 already contained a fix for this problem. Anthropic had developed a more modern parser, a program used to analyze code structures, that correctly checks deny rules regardless of the length of the command chain. However, this was not implemented in the public versions of the program. Instead, the older flawed mechanism continued to be used.

Anthropic appears to have resolved the problem in the meantime. According to the changelog for version 2.1.90, an issue described as parse-fail fallback deny-rule degradation was fixed. However, according to the researchers who identified the potential security vulnerability, there are other ways to address the problem.

Source(s)

• Critical Claude Code vulnerability: Deny rules silently bypassed because security checks cost too many tokens
• Claude Code repository