Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered prompt injection (AV:N), high complexity for context injection success (AC:H), no attacker credentials needed (PR:N), user must process injected content (UI:R), data exits to attacker-controlled server (S:C), arbitrary local data exfiltrated (C:H), no integrity or availability impact.
Primary rating from Vendor (https://github.com/anthropics/claude-code).
CVSS VectorVendor: https://github.com/anthropics/claude-code
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain-including attacker-controlled model repositories-was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to inject untrusted content into a Claude Code context could direct it to issue WebFetch requests against attacker-controlled repository files (e.g. /resolve/main/config.json), which HuggingFace counts as downloads server-side, creating a covert out-of-band channel for encoding and exfiltrating data Claude can access such as files, environment variables, or command output. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. Users on standard Claude Code auto-update have received this fix already; users performing manual updates are advised to update to the latest version.
Thank you to hackerone.com/novee for reporting this issue.
AnalysisAI
Out-of-band data exfiltration in Claude Code (npm/@anthropic-ai/claude-code versions 0.2.54 through 2.1.162) allows a prompt-injection attacker to silently exfiltrate files, environment variables, and command output by exploiting a pre-approved bare hostname bypass in the WebFetch tool. Because huggingface.co was whitelisted at the hostname level only, any path on that domain - including attacker-controlled model repository paths - was auto-approved without triggering a permission prompt and without being constrained by --allowedTools restrictions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two concrete conditions: (1) the attacker must be able to inject untrusted instruction content into the Claude Code context window - for example, by embedding a prompt-injection payload in a file that Claude is asked to read (README, config file, dependency manifest, data file) within a repository or directory being processed; and (2) the target system running Claude Code must have outbound network access to huggingface.co on port 443. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is elevated for users of Claude Code who routinely process untrusted content (reviewing third-party repositories, reading user-supplied configuration files, or operating in automated pipelines with external inputs). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A threat actor publishes a malicious HuggingFace repository and embeds a prompt-injection payload inside a README.md or model config file within a target GitHub repository. When a developer uses Claude Code to review or summarize that repository, Claude reads the README and encounters instructions to fetch a HuggingFace URL constructed from encoded environment variables or SSH key contents. … |
| Remediation | Vendor-released patch: 2.1.163. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-183 – Permissive List of Allowed Inputs
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38538
GHSA-fg94-h982-f3mm