Plattform
nodejs
Komponente
@anthropic-ai/claude-code
Behoben in
2.0.75
2.0.74
CVE-2026-24053 describes an Arbitrary File Access vulnerability discovered in the @anthropic-ai/claude-code Node.js package. This flaw stems from inadequate Bash command validation when parsing ZSH clobber syntax, allowing attackers to potentially write files outside the intended directory. Affected versions are those prior to 2.0.74; users on auto-update have already received the fix, while manual update users are advised to upgrade.
An attacker exploiting this vulnerability could potentially gain unauthorized access to sensitive files and directories on the system running @anthropic-ai/claude-code. By crafting malicious ZSH clobber syntax within a Claude Code context window, an attacker could bypass directory restrictions and write arbitrary files. This could lead to data exfiltration, code injection, or even remote code execution depending on the permissions of the process running the package. The requirement for the user to be using ZSH and able to inject content into the context window limits the immediate attack surface, but the potential impact remains significant.
This vulnerability was reported through HackerOne by Alex Bernier. As of the public disclosure date (2026-02-03), there is no indication of active exploitation in the wild. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog.
Developers and users of the @anthropic-ai/claude-code package, particularly those using ZSH as their default shell and those who allow users to input content into Claude Code context windows. Shared hosting environments where multiple users have access to the same Node.js environment are also at increased risk.
• nodejs / supply-chain:
npm list @anthropic-ai/claude-code• nodejs / supply-chain:
node -v # Check Node.js version• generic web: Examine Claude Code context window input fields for potential ZSH command injection attempts. Look for unusual characters or sequences that could be interpreted as shell commands.
disclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-24053 is to upgrade to version 2.0.74 or later of the @anthropic-ai/claude-code package. Users utilizing manual updates should prioritize this upgrade. As a temporary workaround, restrict user input within the Claude Code context window to prevent the injection of malicious ZSH commands. Consider implementing input validation and sanitization to further reduce the risk. There are no specific WAF or proxy rules that can directly address this vulnerability, as it resides within the application code itself. After upgrading, confirm the fix by attempting to write a file outside the intended directory using a ZSH command within a Claude Code context window; the operation should be denied.
Actualice Claude Code a la versión 2.0.74 o superior. Esta versión corrige la vulnerabilidad de omisión de restricciones de ruta. Asegúrese de que todos los usuarios de ZSH dentro del contexto de Claude Code estén al tanto de la vulnerabilidad y eviten introducir contenido no confiable.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-24053 is a HIGH severity vulnerability in @anthropic-ai/claude-code allowing attackers to write files outside the intended directory due to a flawed Bash command validation. It affects versions before 2.0.74.
You are affected if you are using @anthropic-ai/claude-code version 2.0.74 or earlier and use ZSH. Users on auto-update have already received the fix.
Update @anthropic-ai/claude-code to version 2.0.74 or later. Restrict user input in Claude Code context windows as a temporary workaround.
There is currently no evidence of active exploitation in the wild, but the vulnerability is potentially exploitable.
Refer to the HackerOne report and the @anthropic-ai/claude-code package documentation for updates and advisories.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.