Francesco Cipollone

Name of the Vulnerable Software and Affected Versions Anthropic Claude Code CLI and Claude Agent SDK (affected versions not specified) Description Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection issue in the command lookup helper and deep-link terminal launcher. Local attackers can execute arbitrary commands by manipulating the `TERMINAL` environment variable. Injecting shell metacharacters into the `TERMINAL` variable allows the construction and execution of shell commands with `shell=true` via `/bin/sh`. This can be triggered during normal CLI execution and through the deep-link handler, resulting in arbitrary command execution with the privileges of the user running the CLI. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions Anthropic Claude Code CLI and Claude Agent SDK (affected versions not specified) Description The Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection issue in the prompt editor invocation utility. Attackers can execute arbitrary commands by crafting malicious file paths containing shell metacharacters such as `$()` or backtick expressions. Even when file paths are enclosed in double quotes, POSIX shell semantics allow command substitution within those quotes, leading to arbitrary command execution with the privileges of the user running the CLI. The vulnerability is present because the file path is interpolated into shell commands executed via `execSync`. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions Anthropic Claude Code CLI and Claude Agent SDK (affected versions not specified) Description Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection issue in authentication helper execution. Helper configuration values are executed using `shell=true` without input validation. Attackers who can influence authentication settings can inject shell metacharacters through parameters like `apiKeyHelper`, `awsAuthRefresh`, `awsCredentialExport`, and `gcpAuthRefresh` to execute arbitrary commands with the privileges of the user or automation environment. This can lead to credential theft and environment variable exfiltration. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.