Anthropic Claude SDK for TypeScript Sandbox Escape Vulnerability via Sibling Directory Prefix Injection
Vulnerability
A vulnerability in the Anthropic Claude SDK for TypeScript, affecting versions 0.79.0 prior to 0.81.0, allows models to escape the sandboxed memory directory. This is achieved by injecting a crafted path that exploits a prefix validation flaw, enabling unauthorized reads and writes to a sibling directory. The issue arises because the validation check does not properly account for directory separators, allowing paths to traverse out of the intended confines.
Impact
Exploitation of this vulnerability could lead to unauthorized access and modification of files outside the designated sandboxed memory directory, potentially allowing sensitive data to be read or overwritten.
Reproduction
The vulnerability can be reproduced by creating a sibling directory that shares the name prefix of the memory root. A symlink can then be established from within the 'memories' directory to the sibling directory. The absence of a trailing path separator in the validation check allows this maneuver to succeed, bypassing the intended directory restrictions.
Remediation
Users are advised to update the Anthropic TypeScript SDK to version 0.81.0 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.