Claude Code Vulnerabilities: Arbitrary Code Execution

To reduce risk, Anthropic introduced a permission-based architecture in which a trust confirmation dialog for new projects serves as a key control point. This mechanism assumes that a specialist consciously grants the tool permission to read files. However, a deep analysis of Claude Code’s initialization process showed that certain system processes were launching before this protective barrier was activated. The established practice of sharing code among developers and contractors turns cloning an unverified repository into a potential threat. An attacker only needs to place hidden settings in files to compromise the environment instantly, without requiring any additional action from the victim.

Sonar’s experts focused on the stage that precedes the deployment verification window.

The first vulnerability involved the handling of Git configurations, specifically the “log.showSignature” parameter, which automatically adds an argument for commit signature verification. Because the system invokes the “gpg” utility for this process, a cybercriminal could modify the “gpg.program” parameter in the “.git/config” file to point to any malicious script.

The second vector exploited the tool’s own local parameters through the “.claude/settings.json” file. By using variables such as “apiKeyHelper” or specific system hooks, an attacker could execute commands while bypassing any interface-level barriers.

In practice, the compromise unfolds almost invisibly. A developer downloads a third-party repository from a contractor or finds a solution in open sources and runs the “claude” command for analysis. Instead of pausing for verification, the tool immediately reads instructions from hidden files. As a result of those background scripts, a cybercriminal can steal SSH keys and authorization tokens, hijack control, and move into the internal corporate network. This scenario shows how basic system automation can neutralize the application’s layered defenses and make a Zero Trust architecture a necessity for every file.

After receiving the report on the identified flaws, Anthropic promptly released a fix in Claude Code version 2.0.71 as of December 16, 2025. The primary architectural change moved all operations related to reading or executing configurations exclusively to the stage after trust confirmation. This approach restores the principle of layered defense, where explicit human approval is a strict requirement before any hidden process can begin. Security administrators should enforce updates across all installations of the tool in the organization to reliably close these threat vectors.

The rapid evolution of AI agents does not diminish the importance of traditional configuration management and workstation security—it multiplies it. The identified bypass techniques in initialization mechanisms prove that cybersecurity principles must extend to the underlying execution infrastructure, where even the simplest text file can become a foothold into the network.