CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-25724

The Symlink Whisperer: Bypassing Claude Code's Security Rails

Amit Schendel
Amit Schendel
Senior Security Researcher

Feb 8, 2026·6 min read·64 visits

Executive Summary (TL;DR)

Claude Code's file access restrictions could be bypassed using symbolic links. The tool validated the link's name rather than its target, allowing the AI to read 'denied' files like `/etc/passwd` if they were symlinked from an allowed path. Fixed in v2.1.7.

In the race to build autonomous coding agents, developers often forget the oldest tricks in the UNIX book. Claude Code, Anthropic's CLI tool for agentic coding, implemented a 'deny' list to prevent the AI from reading sensitive files (like keys or system configs). However, prior to version 2.1.7, this mechanism checked the filename, not the file's destination. By utilizing symbolic links, an attacker (or a malicious repository) could trick the agent into reading any file the user had access to, completely bypassing the application's security constraints.

The Hook: Agents Unchained

We are living in the golden age of "Agentic AI." Tools like Claude Code are essentially remote shells that we willingly install, giving a Large Language Model (LLM) permission to read our files, execute terminal commands, and refactor our spaghetti code. It is a powerful concept, but it terrifyingly blurs the line between "user intent" and "arbitrary code execution."

To keep things from going off the rails, Anthropics implemented a safety feature: a settings.json configuration where paranoid users (like us) can define a deny list. This list tells the agent, "You can touch anything in this repo, except my .env file and definitely not /etc/shadow." Ideally, this creates a sandbox where the agent can play without burning down the house.

But here is the thing about software boundaries: they are often drawn with crayon. The vulnerability we are looking at today, CVE-2026-25724, is a classic example of logic failing to account for the underlying geometry of the filesystem. It is a story about how a simple symbolic link turned a security fence into a revolving door.

The Flaw: A Tale of Two Paths

The root cause of this vulnerability is a canonicalization failure, specifically CWE-61 (UNIX Symbolic Link Following). When you ask a program to check if a file is safe to read, the program has to decide which path it is checking: the path you gave it, or the path the filesystem actually resolves to.

In Claude Code versions prior to 2.1.7, the application performed its security check on the user-provided path. If the deny list contained /etc/passwd, and the agent attempted to read ./cool-config.txt, the check would pass because ./cool-config.txt is not in the deny list.

However, if ./cool-config.txt happened to be a symbolic link pointing to /etc/passwd, the underlying fs.readFile (or equivalent system call) would happily follow the link and return the contents of the password file. The security check validated the label on the box, but the filesystem opened the contents of the box. This is a classic Time-of-Check to Time-of-Use (TOCTOU) adjacent issue where the object verified differs from the object accessed.

The Code: Breaking the logic

Let's look at a reconstruction of the vulnerable logic vs. the fixed logic. The flaw lies entirely in the order of operations: checking permissions before resolving the path.

The Vulnerable Pattern

// Pseudocode representation of the flaw
function isAllowed(filePath: string, denyList: string[]): boolean {
  // FLAW: Checks the raw path string against the deny list
  for (const denied of denyList) {
    if (filePath.startsWith(denied)) {
      return false;
    }
  }
  return true;
}
 
// Usage
const target = "./innocent_link";
if (isAllowed(target, userSettings.deny)) {
  // The runtime follows the symlink here, bypassing the check
  const content = fs.readFileSync(target, 'utf-8');
  console.log(content);
}

The Fix (v2.1.7)

The patch involves resolving the path to its absolute, physical location on the disk using realpath before performing any checks. This ensures that aliases cannot hide the true destination.

import { realpathSync } from 'fs';
 
function isAllowed(filePath: string, denyList: string[]): boolean {
  try {
    // FIX: Resolve symlinks to their true destination first
    const resolvedPath = realpathSync(filePath);
    
    for (const denied of denyList) {
      if (resolvedPath.startsWith(denied)) {
        return false;
      }
    }
    return true;
  } catch (e) {
    // Handle dangling links or missing files
    return false;
  }
}

> [!NOTE] > This fix effectively neutralizes the attack because realpathSync expands ./innocent_link into /etc/passwd. The subsequent check sees that /etc/passwd matches the deny list entry and blocks the read operation.

The Exploit: Trojan Repositories

While the CVSS score is low (2.3) because it requires the user to run the tool, the attack vector is fascinating for supply chain security. Imagine a malicious open-source repository designed to exfiltrate data from developers who use AI agents to review code.

The Setup

An attacker creates a repository with a "helper script" or a config file that is actually a symlink to sensitive system files.

# Attacker sets up the repo
mkdir -p malicious-repo
cd malicious-repo
# Create a link to the user's SSH keys or global config
ln -s ~/.ssh/id_rsa ./debug_logs.txt
ln -s /etc/shadow ./shadow_copy.txt
git add .
git commit -m "Add debug logs for analysis"

The Execution

  1. The Victim clones the repo and launches Claude Code: claude code.
  2. The Victim configures settings.json to deny access to ~/.ssh and /etc, thinking they are safe.
  3. The Prompt: The victim asks Claude, "Summarize the debug logs in this folder to help me understand the error."
  4. The Bypass: Claude sees debug_logs.txt. It checks the deny list. debug_logs.txt is allowed.
  5. The Leak: Claude reads the file (following the symlink to id_rsa), ingests the private key into its context window, and sends it to the LLM API for processing. The private key is now in the chat history.

The Impact: Why context matters

If you look at the CVSS score of 2.3, you might be tempted to ignore this. "Low severity? Who cares?" But in the context of an Agentic AI, the impact is higher than the score suggests.

We are entrusting these tools with high-bandwidth IO. They read code, they write code, and crucially, they upload context to the cloud. A file read bypass isn't just a local display issue; it's a data exfiltration vector. If an agent inadvertently reads a secret because of a symlink bypass, that secret leaves your machine and ends up on Anthropic's servers (or wherever the API endpoint is).

Furthermore, this breaks the trust model. Users rely on the deny list as a safety rail. When safety rails fail silently, users engage in risky behavior (like running the agent on untrusted code) believing they are protected. It is a reminder that application-level permissions are rarely as robust as OS-level permissions.

The Fix: Upgrade and verify

The remediation is straightforward: Update to @anthropic-ai/claude-code version 2.1.7 or later. This version correctly resolves paths before authorization.

Defensive Coding Lesson

For developers building similar tools:

  1. Never trust input paths. Always canonicalize them using fs.realpath (Node) or filepath.EvalSymlinks (Go) before performing security checks.
  2. Deny Default. Allow-lists are generally safer than Deny-lists. It is harder to accidentally allow a symlink than it is to fail to deny one.
  3. Sandboxing. If possible, run agentic tools in a container or a VM. Relying on the tool's internal logic to prevent it from reading /etc/passwd is risky; running it in a container where /etc/passwd doesn't matter is better.

Technical Appendix

CVSS Score
2.3/ 10
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
EPSS Probability
0.04%
Top 86% most exploited

Affected Systems

Claude Code CLI tool < 2.1.7Developer workstations running Claude Code

Affected Versions Detail

Product
Affected Versions
Fixed Version
@anthropic-ai/claude-code
Anthropics
< 2.1.72.1.7
AttributeDetail
CWECWE-61 (Symlink Following)
CVSS v4.02.3 (Low)
Attack VectorNetwork (via malicious repo)
Privileges RequiredNone
User InteractionRequired (Passive)
Exploit StatusPoC Available

MITRE ATT&CK Mapping

T1204.002User Execution: Malicious File
Execution
T1559Inter-Process Communication
Execution
T1059Command and Scripting Interpreter
Execution
CWE-61
UNIX Symbolic Link (Symlink) Following

References & Sources

  • [1]GHSA-4q92-rfm6-2cqx Advisory
  • [2]NVD CVE-2026-25724

More Reports

•about 1 hour ago•GHSA-489G-7RXV-6C8Q
8.2

CVE-2026-27826: DNS Rebinding TOCTOU Bypass in mcp-atlassian Server

A DNS-rebinding Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mcp-atlassian server before version 0.17.0. The server processes unauthenticated client-supplied URLs via custom headers, validating the destination IP but failing to pin the resolved address before connecting. This allows remote adjacent-network attackers to achieve Server-Side Request Forgery (SSRF) and access restricted resources or cloud metadata services.

Amit Schendel
Amit Schendel
2 views•5 min read
•about 3 hours ago•CVE-2026-49866
7.5

CVE-2026-49866: CPU-Based Denial of Service in @libp2p/gossipsub Protobuf Parser

A high-severity denial-of-service vulnerability in @libp2p/gossipsub prior to version 16.0.0 allows unauthenticated remote attackers to trigger event loop starvation and complete node freeze by exploiting unbounded protobuf decoding limits and nested synchronous array iteration loops.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 4 hours ago•CVE-2026-49858
5.9

CVE-2026-49858: Cross-User Attribute and Relation Leak in API Platform Core Serializers

CVE-2026-49858 is a vulnerability in API Platform Core's JSON:API and HAL item normalizers where conditionally secured attributes are cached globally in memory. When deployed in long-running PHP execution environments such as FrankenPHP worker mode, Swoole, or RoadRunner, this persistent caching bypasses property-level security constraints, allowing unprivileged users to access sensitive, unauthorized fields cached during privileged requests.

Alon Barad
Alon Barad
4 views•7 min read
•about 4 hours ago•CVE-2026-5078
5.3

CVE-2026-5078: Log Forging and Injection via :remote-user Token in Morgan Logging Middleware

CVE-2026-5078 is a log injection vulnerability in Morgan, the widely deployed Node.js HTTP request logging middleware. The vulnerability arises because the ':remote-user' logging token decodes and outputs basic authentication usernames containing control characters, such as Carriage Return (CR) and Line Feed (LF), without sanitization. An unauthenticated attacker can bypass native HTTP header parsers by Base64-encoding CRLF sequences in the Authorization header. When Morgan logs the request, these control characters force newlines in the log stream, enabling log forging, SIEM evasion, and system activity spoofing.

Alon Barad
Alon Barad
5 views•7 min read
•about 15 hours ago•CVE-2026-48861
2.1

CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint

CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 16 hours ago•CVE-2026-49753
6.3

CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client

An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.

Amit Schendel
Amit Schendel
6 views•6 min read