"Claude Code implements various mechanisms for allowing and denying access to specific tools. Some of these, like curl, which enables network requests from the command line, might pose a security risk if invoked by an over-permissive AI model."
"The source code file bashPermissions.ts contains a comment that references an internal Anthropic issue designated CC-643. The associated note explains that there's a hard cap of 50 on security subcommands, set by the variable MAX_SUBCOMMANDS_FOR_SECURITY_CHECK = 50."
"The Adversa team's proof-of-concept attack was simple. They created a bash command that combined 50 no-op 'true' subcommands and a curl subcommand. Claude asked for authorization to proceed instead of denying curl access outright."
Claude Code's security mechanisms, including deny rules, can be circumvented by lengthy subcommand chains, allowing prompt injection attacks. A security firm identified this vulnerability after the source code leak. The system has a limit of 50 subcommands for security checks, beyond which it requests user permission. This limitation was designed for human commands but fails against AI-generated commands. A proof-of-concept attack demonstrated that a combination of no-op commands and a curl command could bypass security checks, potentially unnoticed by developers.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]