Platform
nodejs
Component
@anthropic-ai/claude-code
Fixed in
2.0.75
2.0.74
CVE-2026-24053 describes an Arbitrary File Access vulnerability discovered in the @anthropic-ai/claude-code Node.js package. This flaw stems from a Bash command validation issue when parsing ZSH clobber syntax, allowing attackers to potentially write files outside the intended directory. Affected versions are those prior to 2.0.74; users on auto-update have already received the fix, while manual update users are advised to upgrade.
An attacker exploiting this vulnerability could potentially gain unauthorized access to files and directories outside the intended scope within the Claude Code environment. This could lead to data exfiltration, modification of critical files, or even the execution of arbitrary code if the attacker can leverage the file write access to create and execute malicious scripts. The attack requires the user to be using ZSH and to be able to inject untrusted content into a Claude Code context window, limiting the immediate attack surface but still posing a significant risk in environments where such conditions are met.
This vulnerability was reported through HackerOne by Alex Bernier. There is currently no indication of active exploitation in the wild, and it is not listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests that it could be relatively straightforward to exploit once a suitable payload is crafted. The requirement for ZSH and context window injection may limit its immediate applicability.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
The primary mitigation for CVE-2026-24053 is to immediately update the @anthropic-ai/claude-code package to version 2.0.74 or later. For environments where immediate upgrades are not feasible, consider restricting user input within the Claude Code context window to prevent the injection of malicious ZSH commands. While a direct WAF rule is unlikely to be effective, input validation and sanitization routines should be reviewed to ensure they adequately handle potentially malicious characters and command sequences. After upgrading, verify the fix by attempting to write a file outside the intended working directory using a ZSH command within a Claude Code context window; the operation should be denied.
Update Claude Code to version 2.0.74 or higher. This version corrects the path restriction bypass vulnerability. Ensure that all ZSH users within the context of Claude Code are aware of the vulnerability and avoid introducing untrusted content.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24053 is a HIGH severity vulnerability in @anthropic-ai/claude-code allowing attackers to write files outside the intended directory due to a flawed Bash command validation. It affects versions before 2.0.74.
You are affected if you are using @anthropic-ai/claude-code version 2.0.74 or earlier and use ZSH. Users on auto-update have already received the fix.
Update @anthropic-ai/claude-code to version 2.0.74 or later. Restrict user input in Claude Code context windows as a temporary workaround.
There is currently no evidence of active exploitation in the wild, but the vulnerability is potentially exploitable.
Refer to the HackerOne report and the @anthropic-ai/claude-code package documentation for updates and advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.