CVE-2025-66032

Prompt Injection Meets Shell Injection: Breaking Claude Code

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 13, 2026·5 min read·5 visits

Executive Summary (TL;DR)

Claude Code's command validator failed to account for shell metacharacters like `$IFS`. By crafting commands without standard spaces, attackers can trick the tool into executing blocked binaries (like `rm` or `curl`), bypassing security checks and achieving RCE on developer workstations.

A critical command injection vulnerability in Anthropic's Claude Code agent allows attackers to bypass 'read-only' guardrails using Internal Field Separator ($IFS) manipulation, turning a helpful coding assistant into a gateway for Arbitrary Code Execution.

Official Patches

AnthropicGitHub Security Advisory

Technical Appendix

CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
0.15%
Top 99% most exploited

Affected Systems

Developer WorkstationsCI/CD Pipelines using Claude CodeLocal Node.js Environments

Affected Versions Detail

Product
Affected Versions
Fixed Version
@anthropic-ai/claude-code
Anthropic
< 1.0.931.0.93
AttributeDetail
Attack VectorNetwork (Context Injection)
CVSS v3.19.8 (Critical)
CWE IDCWE-78
ImpactArbitrary Code Execution
Exploit StatusPoC Available
EPSS Score0.00151 (Low)

MITRE ATT&CK Mapping

T1059.004Command and Scripting Interpreter: Unix Shell
Execution
T1204.002User Execution: Malicious File
Execution
CWE-78
OS Command Injection

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Known Exploits & Detection

X1r0z BlogTechnical analysis and PoC for $IFS bypass

Vulnerability Timeline

Vulnerability Disclosed
2025-12-03
Patch Released (v1.0.93)
2025-12-03
GHSA Advisory Published
2025-12-03

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.