<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Claude Sonnet 5 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/claude-sonnet-5/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/claude-sonnet-5/feed.xml" rel="self" type="application/rss+xml"/><item><title>Claude Code Sandbox Escape via Symlink Following</title><link>https://feed.craftedsignal.io/briefs/2024-01-30-claude-code-sandbox-escape/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-30-claude-code-sandbox-escape/</guid><description>A sandbox escape vulnerability in Claude Code allowed writing arbitrary files outside the workspace by creating symlinks from within the sandbox that were followed by unsandboxed processes, potentially leading to code execution outside the sandbox.</description><content:encoded><![CDATA[<p>Claude Code versions prior to 2.1.64 contained a sandbox escape vulnerability where sandboxed processes could create symlinks pointing outside the defined workspace. Subsequently, when Claude Code's unsandboxed process wrote to a path within such a symlink, it would follow the symlink and write to the target location outside the workspace. This occurred without user confirmation, circumventing the intended sandbox restrictions. The vulnerability requires an attacker to inject untrusted content into a Claude Code context window, triggering sandboxed code execution through prompt injection. This allows a malicious actor to gain arbitrary file write access and potentially execute code outside the confines of the sandbox, bypassing security controls and potentially compromising the system. The affected package is npm/@anthropic-ai/claude-code, specifically versions less than 2.1.64.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious prompt designed to inject code into a Claude Code context window.</li>
<li>The injected code is executed within the Claude Code sandbox.</li>
<li>The sandboxed process creates a symbolic link (symlink) using standard OS tools (e.g., <code>ln -s</code>) pointing from a location within the sandbox to a target location outside the sandbox, such as <code>/etc/passwd</code> or a user's <code>.bashrc</code>.</li>
<li>The unsandboxed Claude Code process attempts to write to a file path that includes the previously created symlink.</li>
<li>The unsandboxed process follows the symlink to the external target location.</li>
<li>The unsandboxed process writes arbitrary data to the target location outside the sandbox, bypassing intended security restrictions.</li>
<li>If a configuration file like <code>.bashrc</code> is overwritten, the attacker could achieve code execution upon the next shell startup.</li>
<li>Successful exploitation allows the attacker to potentially execute arbitrary code outside the sandbox, compromising the entire system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability could lead to arbitrary file write access outside the Claude Code sandbox. This allows an attacker to modify critical system files, inject malicious code into startup scripts, or compromise user accounts. While the specific number of victims is not stated, any user running a vulnerable version of Claude Code is susceptible. Sectors at risk include any that rely on the security of the Claude Code sandbox for protecting sensitive data or preventing unauthorized code execution. A successful attack could lead to full system compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Update the npm/@anthropic-ai/claude-code package to version 2.1.64 or later to remediate the vulnerability (reference: Affected Packages).</li>
<li>Deploy the Sigma rule &quot;Detect Suspicious Symlink Creation within Claude Code Sandboxes&quot; to identify attempts to create symlinks within the sandbox environment (reference: Sigma Rule).</li>
<li>Monitor file system events for writes to unexpected locations from Claude Code processes, paying special attention to writes following symlink traversal (reference: Sigma Rule).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>sandbox-escape</category><category>symlink</category><category>arbitrary-file-write</category></item></channel></rss>