EUVD-2026-32664
GHSA-g3xq-3gmv-qq8g
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionNVD
Summary
tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude Code process.
Affected versions
- v3.5.0
- v3.5.1
Patched versions
- v3.5.2
Affected configurations
Users who wired tools/quota-statusline.sh into Claude Code's statusLine configuration. The v3.5.0 README explicitly recommends this setup, so most users on v3.5.0/v3.5.1 with the recommended setup are affected.
Attack chain
Claude Code's statusline hook payload reflects user-controlled paths (cwd, workspace.current_dir, workspace.project_dir, transcript_path). Apostrophes are legal in POSIX filesystem paths.
- A hostile directory name containing
'''+payload+'''lands on disk via any normal vector -git clone, archive extraction, npm package, downloaded zip, etc. - The victim has the recommended
tools/quota-statusline.shwired into their CCstatusLineconfig. - The victim
cds anywhere a hostile path is reachable. - CC fires the statusline hook on every redraw. The Python literal closes early. The injected bytes execute as Python in the user's process.
Severity
Local code execution at user privilege. Persistent re-fire on every statusline redraw. No user interaction beyond cd-ing into the hostile path. The user's shell, CC session, files, SSH keys, and any locally-accessible credentials are reachable from the executed code.
Vulnerable pattern
input=$(cat)
result=$(python3 -c "
stdin_data = json.loads('''$input''') if '''$input''' else {}
")Fix
Capture stdin in bash, export to env, and pipe the Python source through a single-quoted heredoc (<<'PYEOF'). Single-quoting disables ALL bash interpolation inside the body. Python reads the JSON via os.environ.get('CC_INPUT'), where the bytes are inert at every layer.
CC_INPUT=$(cat)
export CC_INPUT
python3 <<'PYEOF' 2>/dev/null
import os, json
try:
cc_input = json.loads(os.environ.get('CC_INPUT') or '{}')
except Exception:
cc_input = {}
# ...
PYEOFWorkarounds
Until upgrading to v3.5.2:
- Disable the statusline by removing the
statusLineentry from~/.claude/settings.json, or - Replace
tools/quota-statusline.shwith a script that does NOT pass stdin throughpython3 -c "..."(a heredoc + env var rewrite is safe)
Credit
Reported by Jakob Linke (@schuay) via GitHub issue #108.
Timeline
- 2026-05-07 - reported (#108)
- 2026-05-07 - confirmed, fix implemented (#110)
- 2026-05-07 - v3.5.2 published
AnalysisAI
Local code execution in the claude-code-cache-fix npm package (v3.5.0 and v3.5.1) lets attacker-controlled filesystem path names run arbitrary Python inside a victim's Claude Code process. The bundled tools/quota-statusline.sh interpolates Claude Code's statusline hook stdin — which reflects user-controlled paths such as cwd, workspace.current_dir, workspace.project_dir, and transcript_path — directly into a Python triple-quoted literal, so a directory name containing the byte sequence ''' closes the literal early and executes following bytes as Python at the user's privilege on every statusline redraw. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all installations of claude-code-cache-fix v3.5.0 and v3.5.1 across the organization. Within 7 days: Update claude-code-cache-fix to the patched version (consult vendor advisory for specific version and compatibility requirements). …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today