Anthropic Claude Code CLI and Agent SDK OS Command Injection Vulnerability

A command injection vulnerability has been identified in Anthropic's Claude Code CLI and Claude Agent SDK. This vulnerability allows attackers to execute arbitrary commands by injecting shell metacharacters into file paths, which are then executed as shell commands. The issue arises in the prompt editor invocation utility, where the file path is improperly sanitized before being interpolated into a command executed via execSync. Although the path is enclosed in double quotes, POSIX shell rules permit command substitution within quotes, enabling the execution of injected commands with the privileges of the user running the CLI.

Impact

Exploitation of this vulnerability allows for arbitrary command execution in the context of the user running the CLI or SDK, with access to the user's full permissions, including file system, network, and cloud credentials. In a CI/CD environment, this could lead to significant credential theft and unauthorized access to cloud resources and production deployments.

Reproduction

The vulnerability can be reproduced by creating a file with a name that includes shell metacharacters, such as command substitution syntax, and then using the Claude CLI to edit that file. The CLI will interpolate the file path into a shell command, which the shell will execute, thereby running the injected commands. This vulnerability can also be exploited by modifying the .claude/settings.json file in a repository to include a malicious helper value that executes commands when the CLI is run in a CI/CD pipeline.

Remediation

Users are advised to set the ANTHROPIC_API_KEY environment variable directly, bypassing the CLI's authentication helper execution. In CI/CD environments, it is recommended to generate Claude CLI settings from trusted sources and to avoid using the -p mode with untrusted workspaces.