Claude Code bypasses safety rule if given too many commands

Claude Code will ignore its deny rules, used to block risky actions, if burdened with a sufficiently long chain of subcommands. This vuln leaves the bot open to prompt injection attacks.

Adversa, a security firm based in Tel Aviv, Israel, spotted the issue following the leak of Claude Code's source.

Claude Code implements various mechanisms for allowing and denying access to specific tools. Some of these, like curl, which enables network requests from the command line, might pose a security risk if invoked by an over-permissive AI model.

One way the coding agent tries to defend against unwanted behavior is through deny rules that disallow specific commands. For example, to prevent Claude from using curl via ~/.claude/settings.json, you'd add something like { "deny": ["Bash(curl:*)"] }.

But deny rules have limits. The source code file bashPermissions.ts contains a comment that references an internal Anthropic issue designated CC-643 ...