Anthropic Claude Code CLI and Agent SDK OS Command Injection Vulnerability

A command injection vulnerability has been identified in Anthropic's Claude Code CLI and Claude Agent SDK for Python. This vulnerability resides in the command lookup helper and deep-link terminal launcher, allowing local attackers to execute arbitrary commands by manipulating the TERMINAL environment variable. The injection occurs when shell metacharacters are introduced into the TERMINAL variable, which are then interpreted by /bin/sh as the command lookup helper constructs and executes shell commands with shell=true. This issue can be exploited during regular CLI use or through the deep-link handler, leading to unauthorized command execution with the privileges of the user running the CLI.

Impact

Exploitation of this vulnerability allows for arbitrary command execution within the CLI process, using the permissions of the user.

Reproduction

The vulnerability can be reproduced by setting the TERMINAL environment variable to a value containing shell metacharacters. This can be done through various means, such as a .env file, CI/CD pipeline variables, or IDE workspace settings. Once the variable is set, triggering the CLI's deep-link handler will cause the command lookup to read the TERMINAL value, interpolate it into a shell command, and execute it, with the shell interpreting the metacharacters as commands.

Remediation

Users are advised to set the ANTHROPIC_API_KEY environment variable directly, bypassing the helper execution path. In CI/CD environments, generate settings from trusted sources and avoid loading untrusted workspace settings.