Claude Code used the git worktree commondir file when determining folder trust but did not validate its contents. By crafting a repository with a commondir file pointing to a path the victim had previously trusted, an attacker could bypass the trust dialog and immediately execute malicious hooks defined in .claude/settings.json. Exploiting this required the victim to clone a malicious repository and run Claude Code within it, and for the attacker to know or guess a path the victim had already trusted.
Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.
Thank you to hackerone.com/masato_anzai for reporting this issue.
Claude Code used the git worktree
commondirfile when determining folder trust but did not validate its contents. By crafting a repository with acommondirfile pointing to a path the victim had previously trusted, an attacker could bypass the trust dialog and immediately execute malicious hooks defined in.claude/settings.json. Exploiting this required the victim to clone a malicious repository and run Claude Code within it, and for the attacker to know or guess a path the victim had already trusted.Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to the latest version.
Thank you to hackerone.com/masato_anzai for reporting this issue.