Claude Code bypasses safety rule if given too many commands

Claude Code will ignore its deny rules, used to block risky actions, if burdened with a sufficiently long chain of subcommands. This vuln leaves the bot open to prompt injection attacks.

Adversa, a security firm based in Tel Aviv, Israel, spotted the issue following the leak of Claude Code's source.

Claude Code implements various mechanisms for allowing and denying access to specific tools. Some of these, like curl, which enables network requests from the command line, might pose a security risk if invoked by an over-permissive AI model.

One way the coding agent tries to defend against unwanted behavior is through deny rules that disallow specific commands. For example, to prevent Claude from using curl via ~/.claude/settings.json, you'd add something like { "deny": ["Bash(curl:)"] }.

But deny rules have limits. The source code file bashPermissions.ts contains a comment that references an internal Anthropic issue designated CC-643. The associated note explains that there's a hard cap of 50 on security subcommands, set by the variable MAX_SUBCOMMANDS_FOR_SECURITY_CHECK = 50. After 50, the agent falls back on asking permission from the user. The comment explains that 50 is a generous allowance for legitimate usage.

"The assumption was correct for human-authored commands," the Adversa AI Red Team said in a writeup provided to The Register. "But it didn't account for AI-generated commands from prompt injection – where a malicious CLAUDE.md file instructs the AI to generate a 50+ subcommand pipeline that looks like a legitimate build process."

The Adversa team's proof-of-concept attack was simple. They created a bash command that combined 50 no-op "true" subcommands and a curl subcommand. Claude asked for authorization to proceed instead of denying curl access outright.

• Claude Code source leak reveals how much info Anthropic can hoover up about you and your system

• Don't open that WhatsApp message, Microsoft warns

• Ruby Central report reopens wounds over RubyGems repo takeover

• One in seven Americans are ready for an AI boss, but they might not trust it

In scenarios where an individual developer is watching and approving coding agent actions, this rule bypass might be caught. But often developers grant automatic approval to agents (--dangerously-skip-permissions mode) or just click through reflexively during long sessions. The risk is similar in CI/CD pipelines that run Claude Code in non-interactive mode.

Ironically, Anthropic has developed a fix – a parser referred to as "tree-sitter" that's also evident in its source code and is available internally but not in public builds.

Adversa argues that this is a bug in the security policy enforcement code, one that has regulatory and compliance implications if not addressed.

A fix would be easy. Anthropic already has "tree-sitter" working internally and a simple one line change, switching the "behavior" key from "ask" to "deny" in the bashPermissions.ts file at line 2174, would address this particular vulnerability.

Anthropic did not immediately respond to a request for comment. ®