{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/claude-code-cli-2.1.198/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:anthropic:claude_code:*:*:*:*:*:node.js:*:*"],"_cs_cves":[{"cvss":10,"id":"CVE-2026-39861"}],"_cs_exploited":false,"_cs_has_poc":true,"_cs_poc_references":[],"_cs_products":["Claude Code (CLI 2.1.116)","Claude Code (CLI 2.1.196)","Claude Code (CLI 2.1.198)","Claude Code (CLI 2.1.199)","Claude Sonnet 4.6","Claude Sonnet 5","Claude Opus 4.8","OpenAI Codex (CLI 0.142.4)","GPT-5.5"],"_cs_severities":["high"],"_cs_tags":["sandbox-escape","symlink","arbitrary-file-write"],"_cs_type":"advisory","_cs_vendors":["Anthropic","OpenAI"],"content_html":"\u003cp\u003eClaude Code versions prior to 2.1.64 contained a sandbox escape vulnerability where sandboxed processes could create symlinks pointing outside the defined workspace. Subsequently, when Claude Code's unsandboxed process wrote to a path within such a symlink, it would follow the symlink and write to the target location outside the workspace. This occurred without user confirmation, circumventing the intended sandbox restrictions. The vulnerability requires an attacker to inject untrusted content into a Claude Code context window, triggering sandboxed code execution through prompt injection. This allows a malicious actor to gain arbitrary file write access and potentially execute code outside the confines of the sandbox, bypassing security controls and potentially compromising the system. The affected package is npm/@anthropic-ai/claude-code, specifically versions less than 2.1.64.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious prompt designed to inject code into a Claude Code context window.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed within the Claude Code sandbox.\u003c/li\u003e\n\u003cli\u003eThe sandboxed process creates a symbolic link (symlink) using standard OS tools (e.g., \u003ccode\u003eln -s\u003c/code\u003e) pointing from a location within the sandbox to a target location outside the sandbox, such as \u003ccode\u003e/etc/passwd\u003c/code\u003e or a user's \u003ccode\u003e.bashrc\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe unsandboxed Claude Code process attempts to write to a file path that includes the previously created symlink.\u003c/li\u003e\n\u003cli\u003eThe unsandboxed process follows the symlink to the external target location.\u003c/li\u003e\n\u003cli\u003eThe unsandboxed process writes arbitrary data to the target location outside the sandbox, bypassing intended security restrictions.\u003c/li\u003e\n\u003cli\u003eIf a configuration file like \u003ccode\u003e.bashrc\u003c/code\u003e is overwritten, the attacker could achieve code execution upon the next shell startup.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to potentially execute arbitrary code outside the sandbox, compromising the entire system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to arbitrary file write access outside the Claude Code sandbox. This allows an attacker to modify critical system files, inject malicious code into startup scripts, or compromise user accounts. While the specific number of victims is not stated, any user running a vulnerable version of Claude Code is susceptible. Sectors at risk include any that rely on the security of the Claude Code sandbox for protecting sensitive data or preventing unauthorized code execution. A successful attack could lead to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpdate the npm/@anthropic-ai/claude-code package to version 2.1.64 or later to remediate the vulnerability (reference: Affected Packages).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Suspicious Symlink Creation within Claude Code Sandboxes\u0026quot; to identify attempts to create symlinks within the sandbox environment (reference: Sigma Rule).\u003c/li\u003e\n\u003cli\u003eMonitor file system events for writes to unexpected locations from Claude Code processes, paying special attention to writes following symlink traversal (reference: Sigma Rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T05:36:42Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-claude-code-sandbox-escape/","summary":"A sandbox escape vulnerability in Claude Code allowed writing arbitrary files outside the workspace by creating symlinks from within the sandbox that were followed by unsandboxed processes, potentially leading to code execution outside the sandbox.","title":"Claude Code Sandbox Escape via Symlink Following","url":"https://feed.craftedsignal.io/briefs/2024-01-30-claude-code-sandbox-escape/"}],"language":"en","title":"CraftedSignal Threat Feed - Claude Code (CLI 2.1.198)","version":"https://jsonfeed.org/version/1.1"}