Primary

Context

Claude Code ZSH Clobber Syntax Vulnerability Allows Unauthorized File Writes

Vulnerability

A vulnerability in Claude Code prior to version 2.0.74 allows users to bypass directory restrictions and write files outside the current working directory without user permission prompts. This issue arises from a flaw in Bash command validation related to ZSH clobber syntax. Exploitation requires the user to be using ZSH and to have the ability to insert untrusted content into a Claude Code context window.

Impact

Exploitation of this vulnerability could lead to unauthorized file writes, potentially allowing for the manipulation or creation of files in unintended locations.

Remediation

Users on standard Claude Code auto-update have received this fix. Users performing manual updates should update to the latest version.

Added: Feb 3, 2026, 9:18 PM

Updated: Feb 3, 2026, 9:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.2

exploitability

6.0

remediation

0.0

relevance

2.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.2

exploitability

6.0

remediation

0.0

relevance

2.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Claude Code ZSH Clobber Syntax Vulnerability Allows Unauthorized File Writes

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating