Primary

Context

Claude Code Command Validation Bypass Leading to Arbitrary Code Execution

Vulnerability

A vulnerability in Claude Code prior to version 1.0.93 allows for arbitrary code execution by bypassing the read-only validation. This issue arises from improper parsing of shell commands related to the internal field separator (IFS) and short command-line flags. Exploiting this vulnerability requires the ability to insert untrusted content into a Claude Code context window.

Impact

Bypassing the read-only validation enables arbitrary code execution within the Claude Code environment.

Remediation

Users on standard Claude Code auto-update have received the fix in version 1.0.93. Those performing manual updates should update to the latest version.

Added: Dec 3, 2025, 7:18 PM

Updated: Dec 3, 2025, 7:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

7.7

relevance

1.3

threat

0.0

urgency

2.9

incentive

5.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

7.7

relevance

1.3

threat

0.0

urgency

2.9

incentive

5.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Claude Code Command Validation Bypass Leading to Arbitrary Code Execution

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating