Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
claude-code-cache-fix is a tool that speeds up Claude Code by caching results. Versions 3.5.0 through 3.5.1 have a code injection vulnerability (CWE-94, inserting malicious code into a program) in a file called tools/quota-statusline.sh, where user input containing certain byte sequences (''') can break out of a Python string and execute arbitrary code on the user's system. This is a high-severity bug that affects local attackers who can control the input to Claude Code.
Fix: This vulnerability is fixed in version 3.5.2. Users should update to claude-code-cache-fix 3.5.2 or later.
NVD/CVE DatabaseMLflow version 3.9.0 has a vulnerability in its Assistant feature where /ajax-api endpoints don't properly validate the origin (the source website making a request). This allows an attacker on a malicious webpage to send cross-origin requests (requests from a different domain) to trick the MLflow Assistant running on a victim's computer, bypass security restrictions meant to only allow local access, and execute arbitrary commands (run any code they choose) through the Claude Code sub-agent.
Claude HUD versions up to 0.0.12 contain a command injection vulnerability (a security flaw where an attacker can trick a program into running harmful commands) that affects Windows systems. An attacker with local access can manipulate the COMSPEC environment variable (a Windows setting that specifies which command interpreter to use) before the software checks its version, causing it to run malicious code with system permissions.
Claude HUD versions up to 0.0.12 contain a path traversal vulnerability (a flaw where attackers can access files outside intended directories by manipulating file paths) that lets attackers read any file the program can access by sending a malicious transcript_path value. Additionally, the vulnerability creates a cache file with weak permissions that records which files were accessed, leaving evidence even after the program stops running.
Claude HUD version 0.0.12 and earlier has a vulnerability where it creates terminal hyperlinks (clickable links in terminal windows) using user-controlled data without properly cleaning it first, allowing attackers to inject malicious terminal codes (ANSI codes, which control formatting and behavior in terminals) that could change text colors, fake command prompts, steal clipboard data, or redirect users to attacker-controlled websites.
A vulnerability in the python-utcp library exposed all environment variables (including secrets like API keys and database passwords) to subprocesses because the `_prepare_environment()` function copied the entire host environment. When combined with a command injection flaw (CWE-78, where an attacker can sneak malicious commands into tool arguments), an attacker could steal sensitive credentials like AWS keys, database connection strings, and LLM API keys in a single tool call.
Claude Desktop for Windows had a security flaw in versions before 1.3834.0 where the CoworkVMService component (a background service running with high system privileges) did not properly check if directories were real folders or directory junctions (shortcuts that point to other locations) before creating files in them. An attacker with basic user access could trick this service into creating files in any location on the computer, potentially allowing them to gain administrator-level control of the system.
The Claude Desktop app's SSH remote development feature (versions 1.2581.0 to before 1.4304.0) had a security flaw where it only checked if a hostname was in the ~/.ssh/known_hosts file without verifying that the server's actual host key matched the stored one. This allowed a network attacker (someone who could intercept traffic through methods like ARP spoofing or rogue Wi-Fi) to perform a man-in-the-middle attack (secretly intercepting and potentially altering communications between two parties) on remote development sessions, as long as the hostname was already in the victim's known_hosts file.
nnU-Net (a framework for automatically analyzing and segmenting images) had a vulnerability in its GitHub workflow where untrusted user input from issue titles and descriptions were sent directly to an AI agent without proper filtering. This allowed attackers to trick the AI agent into performing unintended actions like commenting on or relabeling issues, since the workflow ran automatically whenever someone opened an issue.
The Claude SDK for TypeScript had a security flaw where a tool called `BetaLocalFilesystemMemoryTool` created files and folders with overly permissive access settings (using Node.js defaults like `0o666` for files and `0o777` for directories, which control who can read or modify them). This meant that on shared computers or in containerized environments (like Docker), other users could read sensitive agent data or modify it to change how the AI behaves.
A path traversal vulnerability (a bug where an attacker manipulates file paths to access files they shouldn't) was found in the ErlichLiu claude-agent-sdk, affecting a file called app/api/agent-output/route.ts. An attacker can exploit this remotely by manipulating the outputFile parameter, and the vulnerability has already been publicly disclosed. The project uses continuous updates but has not yet responded to the security report.
Claude Code had a security flaw where it checked a git worktree (a Git feature allowing multiple branch checkouts in separate directories) `commondir` file to decide if a folder was trustworthy, but didn't verify the file's contents. An attacker could create a malicious repository with a fake `commondir` file pointing to a folder the victim had previously trusted, tricking Claude Code into skipping its safety dialog and running malicious code from `.claude/settings.json` (a configuration file). This attack required the victim to clone the malicious repository and open it in Claude Code, and the attacker had to know a path the victim had already marked as safe.
Claude Code, an agentic coding tool (AI that can write and execute code), had a sandbox escape vulnerability before version 2.1.64 where sandboxed processes could create symlinks (shortcuts pointing to files outside their designated area) that allowed writing to locations outside the workspace without user permission. An attacker could exploit this by injecting malicious instructions into Claude Code's input, potentially executing code outside the intended sandbox.
Claude Code on Windows had a security flaw where it loaded configuration files from a shared system directory without checking who owned that directory or had permission to change it. Since regular users could write to this directory by default, an attacker could create a malicious configuration file that would run with elevated privileges when another user launched Claude Code, allowing a local privilege escalation (unauthorized access to higher-level permissions).
Anthropic experienced a brief outage on Wednesday affecting its Claude chatbot, API (application programming interface, the connection between software services), and Claude Code assistant, with elevated error rates beginning around 10:53 a.m. ET. By 1:50 p.m. ET, all systems were restored and operational, with login success rates stabilizing by 12:30 p.m. ET.
The java-sdk has a DNS rebinding vulnerability (an attack where a hacker tricks your browser into accessing a private server by manipulating domain name resolution) that allows attackers to make tool calls to local or private MCP (model context protocol, a system for AI agents to interact with tools) servers if you visit a malicious website. This happens because the java-sdk wasn't validating the Origin header (a security check that confirms requests come from trusted sources) before version 1.0.0, violating the MCP specification.
Anthropic's Claude Code CLI and Claude Agent SDK have a vulnerability where authentication helper settings are executed with shell=true (allowing shell commands to run) without checking the input first. An attacker who can change settings like apiKeyHelper or awsAuthRefresh could inject shell metacharacters (special characters that have meaning in command shells) to run arbitrary commands with the user's privileges, potentially stealing credentials or accessing environment variables.
Anthropic's Claude Code CLI and Claude Agent SDK have a vulnerability where attackers can execute arbitrary commands (run any code they want) by inserting shell metacharacters (special characters like $() that tell the system to run commands) into file paths. Even though the code tries to protect these paths by wrapping them in double quotes, the POSIX shell (the command-line interface on Unix/Linux systems) still processes these injected expressions, giving attackers the same permissions as the user running the CLI.
Anthropic's Claude Code CLI and Claude Agent SDK have a vulnerability where attackers can run arbitrary commands by manipulating the TERMINAL environment variable (a setting that controls which terminal program to use). When the software constructs shell commands, it doesn't properly sanitize the TERMINAL variable, allowing attackers to inject shell metacharacters (special characters that have meaning to command interpreters) that get executed with the user's privileges.
Fix: Update to MLflow version 3.10.0, where this issue is resolved.
NVD/CVE DatabaseFix: The vulnerability was patched in commit 234d9aa. Users should update to a version after 0.0.12 that includes this patch.
NVD/CVE DatabaseFix: The vulnerability was patched in commit 234d9aa. Users should update to a version containing this commit or later.
NVD/CVE DatabaseFix: Patched in commit 234d9aa.
NVD/CVE DatabaseFix: Upgrade to utcp-cli version 1.1.2 or later. The patch changes `_prepare_environment()` to use a controlled allowlist of environment variables instead of copying everything. Users can configure which variables are inherited via a new `CliCallTemplate.inherit_env_vars` field: set it to `null` (default, uses a safe OS-specific allowlist like PATH and HOME), `[]` (strict mode, nothing inherited), or specify exact variable names like `["FOO", "BAR"]`. Sensitive variables like `OPENAI_API_KEY` no longer reach subprocesses unless explicitly allowed.
GitHub Advisory DatabaseFix: Update Claude Desktop to version 1.3834.0 or later, which includes a fix for this vulnerability.
NVD/CVE DatabaseFix: Update Claude Desktop to version 1.4304.0 or later.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 2.4.1.
NVD/CVE DatabaseFix: Users on the affected versions are advised to update to the latest version.
GitHub Advisory DatabaseFix: Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.
GitHub Advisory DatabaseFix: Update to Claude Code version 2.1.64 or later. The source states: 'Users on standard Claude Code auto-update have received this fix automatically. Users performing manual updates are advised to update to version 2.1.64 or later.'
NVD/CVE DatabaseFix: Users on standard Claude Code auto-update have already received this fix. Users performing manual updates are advised to update to the latest version.
GitHub Advisory DatabaseFix: Users can mitigate this risk by: 1) Running the MCP server behind a reverse proxy (a security layer like Nginx or HAProxy that forwards requests and can validate headers) configured to strictly validate the Host and Origin headers, or 2) Using a framework that inherently enforces strict CORS (cross-origin resource sharing, a browser security feature that controls which websites can access your data) and Origin validation, such as Spring AI.
GitHub Advisory DatabaseDirectus, a content management system, failed to properly sanitize sensitive data (like user tokens, two-factor authentication secrets, and API keys) before storing them in revision history records. This meant that anyone with access to the revision database table could read these secrets in plaintext, potentially allowing account takeover or unauthorized access to third-party services.