EUVD-2026-24033
GHSA-vp62-r36r-9xqp
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionGitHub Advisory
Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outside the workspace without prompting the user for confirmation. This allowed a sandbox escape where neither the sandboxed command nor the unsandboxed app could independently write outside the workspace, but their combination could write to arbitrary locations, potentially leading to code execution outside the sandbox. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection. Users on standard Claude Code auto-update have received this fix automatically. Users performing manual updates are advised to update to version 2.1.64 or later.
AnalysisAI
Sandbox escape in Claude Code versions prior to 2.1.64 enables arbitrary file writes outside the workspace by exploiting symlink handling between sandboxed and unsandboxed processes, potentially leading to code execution. The vulnerability requires prompt injection to trigger malicious sandboxed code execution, creating an exploitable chain where neither component can independently breach the sandbox but their interaction does. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires prompt injection capability to manipulate Claude Code's AI agent into executing malicious sandboxed commands-specifically, the attacker must introduce malicious instructions into the context window through code comments, documentation files (README.md, docstrings), or file names that Claude Code processes. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate despite the 7.7 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker creates a malicious GitHub repository containing seemingly legitimate code with embedded prompt injection payloads in code comments or markdown documentation. When a developer opens this project in Claude Code and interacts with the AI assistant, the injected prompts trigger the agent to execute sandboxed commands that create symlinks pointing from the workspace to sensitive locations like ~/.ssh/authorized_keys or system startup directories. … |
| Remediation | Upgrade Claude Code to version 2.1.64 or later immediately. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Verify Claude Code deployment version across development teams and identify any instances running versions prior to 2.1.64. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today