@anthropic-ai/claude-code: Claude Code: Arbitrary code execution through git directory confusion
Summary
Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor execution during worktree operations, an attacker could overwrite files in the user's home directory (such as .zshenv), leading to code execution outside of seatbelt sandbox restrictions. Reliably exploiting this required the user to clone a malicious repository containing prompt injection content and run Claude Code against it. This vulnerability is fixed in 2.1.163. A flaw was found in Claude Code, an agentic coding tool, in its handling of worktrees. This vulnerability allowed the creation of specially named worktrees and navigation outside of the intended secure environment, leading to what is known as a 'git directory confusion attack'. By manipulating symbolic links and how git monitors file system changes, an attacker could overwrite important user files, potentially leading to unauthorized code execution on the user's system. This attack requires a user to interact with a malicious code repository. This is an Important vulnerability in Claude Code, an agentic coding tool within OpenShift Lightspeed, stemming from a git directory confusion flaw. The vulnerability allows an attacker to overwrite user configuration files, leading to arbitrary code execution outside of sandbox restrictions. Exploitation requires a user to clone a malicious repository and then execute Claude Code against its contents. Red Hat severity: Important — CVSS 7.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H). Weakness: CWE-59. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Official advisory · high-confidence parse· fetched 4 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.