AIKIDO-2026-690449
@anthropic-ai/claude-code is vulnerable to Sandbox Escape
77
High Risk
This Affects:
@anthropic-ai/claude-codeTL;DR
Claude Code allowed creating git worktrees named .git and navigating worktrees outside the sandbox context. A malicious repository can combine prompt injection in CLAUDE.md with attacker-controlled git configuration so worktree operations trigger core.fsmonitor command execution, follow symlinks into the user's home directory, and overwrite shell startup files such as ~/.zshenv. Because zsh sources those files before macOS seatbelt restrictions apply to Bash tool payloads, attacker code can run outside the sandbox even when sandbox mode is enabled. The fix rejects .git as a worktree name.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and open untrusted repositories in Claude Code where repository content (for example CLAUDE.md) can steer worktree tool usage.
Background info
@anthropic-ai/claude-code is vulnerable to Sandbox Escape in versions 2.1.38 - 2.1.162.
How to fix this
Upgrade the @anthropic-ai/claude-code library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant