1. A source code leak of Anthropic’s Claude Code revealed a critical security flaw allowing attackers to bypass permission rules through long command chains, risking data exfiltration.
2. The vulnerability exploits the system’s limit of analyzing only 50 subcommands in complex chains, enabling malicious prompt injections once the limit is exceeded.
3. Despite a fix in the leaked version 2.1.88, the publicly available code continued using an outdated parser, leaving the security flaw unaddressed in released versions until later updates.
4. The flaw could enable attackers to extract sensitive information such as SSH keys or cloud credentials by manipulating the AI to execute lengthy command sequences that bypass deny rules.
Recent Accidental Code Leak and Its Implications
On March 31, Anthropic, the creators of Claude AI, mishandled their source code by unintentionally making a significant part of the underlying code accessible online. This leak happened when a source map file, which translates compiled code back to a human-readable form, was mistakenly published on npm, a popular JavaScript package manager. The leak revealed approximately 512,000 lines of TypeScript code, providing detailed insights into how the AI assistant operates. Despite no model weights or sensitive customer data being exposed, the blueprint nature of this leak has posed serious security concerns. It has opened doors for malicious actors to analyze vulnerabilities or replicate the tool for harmful purposes such as malware delivery.
Security Flaw Discovered in Claude Code’s Permission System
Claude Code is an AI-based terminal assistant capable of executing commands and editing files directly from the command line. To fight misuse, it employs a permission system where users can set deny rules blocking specific commands like “curl,” used for network data transfer, while allowing others like “git.” However, security researchers at Adversa AI uncovered a critical flaw. The vulnerability centers around how the system handles complex command chains, especially in scenarios where a chain exceeds 50 subcommands. To prevent slowdowns or interface freezes, Anthropic’s code skips detailed security checks beyond this limit, instead prompting users with a general confirmation. This behavior could be exploited by attackers through prompt injection techniques to bypass security checks altogether.
Prompt Injection Attack Scenarios and Data Risks
- The attack involves placing a specially crafted file named “CLAUDE.md” in a public code repository. This file contains commands or instructions designed to manipulate the AI’s responses.
- When a developer clones the repository and prompts Claude Code to analyze or review the project, the AI might execute a lengthy chain of commands exceeding the 50-command threshold. Since detailed checks are skipped past this limit, the system becomes vulnerable.
- In this way, an attacker can sneak in commands that retrieve sensitive data, such as SSH keys, cryptographic credentials used for secure connections, or cloud computing credentials stored on developer machines.
- Crucially, because the system only asks for a simple confirmation at the end of the command chain, it fails to recognize that security policies are sidestepped. This allows attackers to secretly exfiltrate data without raising suspicions.
Existing Fixes and the Discrepancy in Implementation
Interestingly, the leaked version 2.1.88 of Claude Code included a fix for this problem. The developers had introduced a more sophisticated parser designed to be aware of deny rules regardless of how long a command chain is. Unfortunately, this improvement was not incorporated into the publicly available versions, which continued to use an older, flawed security mechanism. It wasn’t until version 2.1.90 that Anthropic addressed the issue officially, fixing the fallback deny-rule degradation described as “parse-fail fallback deny-rule degradation” in the changelog. Despite this, security researchers suggest that other attack methods might still exist, emphasizing that it’s a partially mitigated issue rather than a fully resolved one.
