Following our reverse-engineering of Claude Code's leaked source for hacks and optimisations, we turned to the security side. We audited the full 1,900-file TypeScript codebase for vulnerabilities, attack surfaces, and exploitable gaps.
The results: 23 verified vulnerabilities, 7 rated critical.
Key Takeaways
- The primary attack vector is malicious repositories. A repo with crafted
.claude/files can execute arbitrary commands, inject system prompts, configure attacker-controlled MCP servers, and read arbitrary files -- all triggered automatically on project open. - Seven critical vulnerabilities allow arbitrary code execution or data exfiltration without user approval in some cases.
- Shell security has specific bypass vectors including a 50-subcommand analysis cap and sed delimiter tricks.
- Credentials are stored in plaintext on Linux and Windows (
~/.claude/.credentials.json). - No symlink resolution or critical path protection in file write operations.
Attack Priority Matrix
All 23 verified vulnerabilities ranked by severity. Each links to the detailed analysis in the full security audit.
| # | Vulnerability | Severity | Requires | Exploitability |
|---|---|---|---|---|
| 1 | CLAUDE.md Prompt Injection | CRITICAL | Malicious repo clone | Trivial |
| 2 | Memory File Injection | CRITICAL | Malicious repo clone | Trivial |
| 3 | Custom Agent Injection | CRITICAL | Malicious repo clone | Trivial |
| 4 | Skill File Injection | HIGH | Malicious repo clone | Trivial |
| 5 | CLAUDE.md @include Path Traversal | CRITICAL | Malicious repo clone | Trivial |
| 6 | Hook Command Injection | CRITICAL | Malicious repo clone | Trivial |
| 7 | Subcommand Limit Bypass (>50) | HIGH | Prompt injection | Moderate |
| 8 | Sandbox Exclusion via dangerouslyDisableSandbox | HIGH | Model prompt | Moderate |
| 9 | Sed Non-Slash Delimiter Bypass | HIGH | Model prompt | Easy |
| 10 | MCP Tool Result Injection | HIGH | Malicious MCP server | Easy |
| 11 | MCP Environment Variable Leakage | HIGH | Malicious repo clone | Easy |
| 12 | JWT Signature Not Verified | CRITICAL | Network position | Medium |
| 13 | Bridge Message Type Guard | CRITICAL | MitM or compromised server | Easy |
| 14 | Swarm Permission Forgery | MEDIUM | Swarm agent context | Easy |
| 15 | Project Settings Injection | HIGH | Malicious repo clone | Trivial |
| 16 | MCP Server Config Injection | HIGH | Malicious repo clone | Trivial |
| 17 | Symlink Following in File Writes | HIGH | Filesystem preparation | Medium |
| 18 | WebFetch SSRF | MEDIUM | Prompt injection | Easy |
| 19 | Plaintext Credentials (Linux/Windows) | HIGH | Local user access | Trivial |
| 20 | No Critical Path Protection | MEDIUM | Bypass mode | Easy |
| 21 | Fork Context Data Leakage | MEDIUM | Normal usage | Easy |
| 22 | DNS Exfiltration (no detection) | MEDIUM | Prompt injection | No detection exists |
| 23 | Context Window Exhaustion DoS | LOW | Normal usage | Easy but low impact |
The most trivially exploitable findings (1-5, 8, 13-15) all share the same vector: a malicious git repository with crafted .claude/ files. A developer clones the repo, runs claude, and the attack chain fires automatically.
Full Security Audit
This post covers the highlights. The complete analysis documents all 23 findings with severity ratings, affected source files, exploit code, and a sortable attack priority matrix.
Full Security Audit
23 Verified Vulnerabilities
Complete attack surface analysis with severity ratings, exploit code, and an attack priority matrix.
View the Full Security AuditThe source is on GitHub if you want to verify these findings yourself. See also our hacks and optimisations post for the non-security side of the analysis.
Comments