Claude Code

By Aonan Guan, with Johns Hopkins University’s Zhengyu Liu and Gavin Zhong Update — 2026-05-04. I reported this on 2025-10-17; Anthropic accepted it at Critical (CVSS 9.3), upgraded it to Critical (CVSS 9.4) on 2025-11-25, and changed it to None on 2026-04-20. Three of the most widely deployed AI agents on GitHub Actions can be hijacked into leaking the host repository’s API keys and access tokens — using GitHub itself as the command-and-control channel. ...

TL;DR Agent SkillSlip is a class of path traversal vulnerabilities in AI agent skill/plugin installers. The name field inside skill metadata is used directly in path.join() without validation, writing files to attacker-controlled locations — but the user only sees the archive filename or repository URL, not the internal metadata Found across three tools: Gemini CLI, Claude Code, and Vercel’s add-skill Impact ranges from VS Code terminal hijacking to SSH key injection add-skill fixed in PR #8 and PR #108. Gemini CLI and Claude Code remain unpatched as of writing The Pattern After installing a Gemini CLI skill: .vscode/settings.json injected, terminal hijacked ...

allowedDomains: [], “Empty array = no network access.” — Anthropic Sandbox Runtime Documentation The implementation did not match the documentation. When I configured Claude Code’s sandbox with allowedDomains: [], expecting complete network isolation, the sandbox was wide open and allowed connections to any server on the internet. Anthropic patched this quietly in Claude Code v2.0.55 with a changelog entry saying “Fix proxy DNS resolution” — no mention of a critical security flaw. They assigned CVE-2025-66479 to their runtime library but did not assign a CVE to their flagship product Claude Code. The changelog did not include a security advisory. In practice, the issue was fixed quietly and most users were unlikely to realize there was a security patch. ...