Critical Vulnerabilities Discovered in Anthropic’s Claude Code
Check Point Research has identified serious vulnerabilities in Anthropic’s Claude Code that could allow remote code execution and API key theft through compromised project configurations. The vulnerabilities exploit various configuration mechanisms such as Hooks, Model Context Protocol (MCP) servers, and environment variables. These issues were addressed in collaboration with Anthropic’s security team, and all reported vulnerabilities have been patched prior to this release.
The rise of AI-powered development tools is reshaping software workflows, creating novel attack surfaces that conventional security practices are ill-equipped to manage. Claude Code enables developers to automate coding tasks directly from their terminal using natural language commands. However, this automation raises substantial security concerns. Configuration files, like .claude/settings.json, serve critical roles in project operations but can also facilitate exploitation if corrupted. Contributors with commit access may unintentionally introduce harmful configurations, potentially leading to unexpected actions on collaborators’ machines.
Vulnerability Analysis
Remote Code Execution via Hooks: The Hooks feature in Claude Code automates processes according to predefined conditions but can be manipulated by malicious contributors. Researchers demonstrated this by crafting a hook that executed arbitrary commands upon the project’s startup, bypassing the usual confirmation prompts associated with command execution. This behavior allows attackers to run harmful scripts or payloads seamlessly on a victim’s machine.
MCP User Consent Bypass: Similarly, the MCP feature permits integration with external services but also permits malicious commands through repository-controlled configurations. By exploiting certain parameters, attackers can initiate MCP server commands without user confirmation, leading to immediate execution of harmful tasks.
API Key Exfiltration: The investigation further revealed that a specific environment variable, ANTHROPIC_BASE_URL, could be configured to redirect API communications to an attacker-controlled server. By intercepting these communications with tools like mitmproxy, attackers can capture sensitive API keys before a developer acknowledges trust in the project.
Defensive Context
Organizations utilizing AI-assisted development tools, particularly those involving Claude Code, must remain vigilant against supply chain attack vectors introduced by the exploitable configuration files. Developers with direct influence over repositories need to be cautious and apply stringent review processes even to configuration files, which are commonly trusted without scrutiny.
Protecting against these vulnerabilities requires heightened awareness of the dependencies brought into projects and the nature of automation in development. Specific teams actively involved in code reviews, especially those that work with AI integrations, are particularly at risk and should prioritize due diligence regarding project configurations.
In summary, these vulnerabilities showcase a critical intersection of convenience and security risk in modern development environments. The emergence of AI tools necessitates a reevaluation of security protocols to adequately protect against the exploitation of project configurations.
