Claude Code Vulnerability Allows Bypass of Safety Rules via Subcommand Injection

Severity: High (Score: 67.5)

Sources: Theregister

Summary

A vulnerability in Claude Code allows the AI to bypass its deny rules when presented with a chain of over 50 subcommands. Discovered by Adversa, a Tel Aviv-based security firm, this flaw exposes the AI to prompt injection attacks, potentially enabling unauthorized actions like executing network requests via curl. The issue arises from a hard cap of 50 security subcommands, beyond which Claude Code defaults to asking for user permission. This oversight was not anticipated for AI-generated commands, leading to a proof-of-concept attack where a malicious command was constructed to exploit this limitation. The risk is particularly high in automated environments, such as CI/CD pipelines, where human oversight may be lacking. Anthropic has developed an internal fix but has not yet released it publicly. The vulnerability raises significant regulatory and compliance concerns if left unaddressed. Key Points: • Claude Code's security rules can be bypassed with over 50 subcommands. • The vulnerability allows for prompt injection attacks, posing risks in automated environments. • Anthropic has an internal fix available but has not released it publicly.

Key Entities

• Prompt Injection (attack_type)
• Israel (country)
• T1059.004 - Unix Shell (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• Curl (tool)