Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Malicious repo is network-delivered (AV:N) but needs symlink/fsmonitor chaining (AC:H) and the victim to clone and run the tool (UI:R); the sandbox escape changes scope (S:C) with full host code execution (C/I/A:H).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor execution during worktree operations, an attacker could overwrite files in the user's home directory (such as .zshenv), leading to code execution outside of seatbelt sandbox restrictions. Reliably exploiting this required the user to clone a malicious repository containing prompt injection content and run Claude Code against it. This vulnerability is fixed in 2.1.163.
AnalysisAI
Sandbox escape and code execution in Anthropic's Claude Code CLI (versions 2.1.38 through 2.1.162) lets a malicious repository break out of the macOS seatbelt sandbox by abusing git worktree handling. By creating a worktree named ".git" and combining symlink manipulation with git fsmonitor execution, an attacker can overwrite files in the user's home directory such as .zshenv to achieve code execution outside the sandbox. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to clone a malicious repository containing prompt-injection content and then run Claude Code (versions 2.1.38-2.1.162) against it; the repo must carry a git worktree named ".git" and rely on symlink manipulation plus git fsmonitor execution during worktree operations to redirect writes into the home directory (for example overwriting .zshenv). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H, base 7.7) signals network delivery with no authentication but with a present attack requirement (AT:P) and passive user interaction, which aligns with the description: the attacker needs no credentials, but the victim must clone a malicious repo and run Claude Code against it, and a prompt-injection/setup condition must hold. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes an attractive open-source repository seeded with prompt-injection content and a crafted git worktree named ".git" plus malicious symlinks and fsmonitor configuration. A developer clones it and runs Claude Code against the project; during worktree operations git executes the attacker-controlled fsmonitor program and writes are redirected via symlinks to overwrite ~/.zshenv. … |
| Remediation | Vendor-released patch: 2.1.163 - upgrade Claude Code to 2.1.163 or later, which fixes the worktree handling, per advisory GHSA-7835-87q9-rgvv (https://github.com/anthropics/claude-code/security/advisories/GHSA-7835-87q9-rgvv). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit installed Claude Code CLI versions across macOS endpoints to identify users on versions 2.1.38-2.1.162. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Claude Code
View allOS command injection in Anthropic Claude Code CLI and Agent SDK for Python allows remote, unauthenticated attackers to e
OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python allows local attackers to execute arbi
OS command injection in Anthropic Claude Code CLI and Claude Agent SDK for Python enables arbitrary command execution vi
Claude Code prior to version 2.1.2 has a CVSS 10.0 sandbox escape in the bubblewrap sandboxing mechanism, allowing code
Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and shor
Claude Code prior to version 2.0.57 failed to properly validate MCP tool inputs, allowing malicious MCP servers to injec
Claude Code is an agentic coding tool. Versions before 1.0.111 were vulnerable to Code Injection due to a bug in the sta
Claude Code versions before 2.0.72 allow authenticated attackers to execute arbitrary commands by exploiting a command p
Sandbox escape in Claude Code versions prior to 2.1.64 enables arbitrary file writes outside the workspace by exploiting
Claude Code is an agentic coding tool. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no au
Claude Code versions prior to 2.0.65 allow attackers to steal Anthropic API keys from users by crafting malicious reposi
Claude Code versions prior to 1.0.111 fail to properly validate trusted domains for WebFetch requests, allowing attacker
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40117