Primary

Context

Claude Code Permission Deny Bypass Vulnerability via Symlink

Vulnerability

A permission deny bypass vulnerability has been identified in Claude Code versions prior to 1.0.120. The issue arises because the tool does not properly consider symlinks when enforcing permission deny rules. If a user explicitly denies Claude Code access to a file, but the tool has access to a symlink pointing to that file, it can still access the file. This vulnerability has a low severity rating.

Impact

Exploitation of this vulnerability allows Claude Code to bypass permission deny rules and access files that should be restricted, potentially leading to unauthorized data exposure.

Remediation

Users on standard Claude Code auto-update will have received the fix automatically. Those performing manual updates should update to the latest version.

Added: Oct 3, 2025, 8:16 PM

Updated: Oct 3, 2025, 8:16 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.2

remediation

7.7

relevance

0.7

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.2

remediation

7.7

relevance

0.7

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Claude Code Permission Deny Bypass Vulnerability via Symlink

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating