NIXPKGS-2026-1974

GitHub issue published 15 hours ago

Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch

Permalink CVE-2026-54316

6.0 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): Present (P)
Privileges Required (PR): None (N)
User Interaction (UI): Passive (P)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): Present (P)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Passive (P)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

updated 15 hours ago by @LeSuisse Activity log

Created suggestion 1 day, 1 hour ago
@LeSuisse ignored
6 packages
- claude-code-acp
- gnomeExtensions.claude-code-usage
- claude-code-router
- gnomeExtensions.claude-code-switcher
- vscode-extensions.anthropic.claude-code
- gnomeExtensions.claude-code-usage-indicator
16 hours ago
@LeSuisse accepted 16 hours ago
@LeSuisse published on GitHub 15 hours ago

Claude Code: Out-of-Band Data Exfiltration via Pre-Approved HuggingFace Domain in WebFetch

Claude Code is an agentic coding tool. From 0.2.54 until 2.1.163, because the hostname huggingface.co was pre-approved as a bare hostname for the WebFetch tool, any path on that domain—including attacker-controlled model repositories—was auto-approved without a permission prompt or being subject to --allowedTools restrictions. An attacker able to inject untrusted content into a Claude Code context could direct it to issue WebFetch requests against attacker-controlled repository files (e.g. /resolve/main/config.json), which HuggingFace counts as downloads server-side, creating a covert out-of-band channel for encoding and exfiltrating data Claude can access such as files, environment variables, or command output. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 2.1.163.

References

https://github.com/anthropics/claude-code/security/advisories/GHSA-fg94-h982-f3mm x_refsource_CONFIRM

Affected products

claude-code

==>= 0.2.54, < 2.1.163

Matching in nixpkgs

pkgs.claude-code

Agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster

nixos-unstable 2.1.148
- nixpkgs-unstable 2.1.172
- nixos-unstable-small 2.1.172
nixos-26.05 2.1.148
- nixos-26.05-small 2.1.148
- nixpkgs-26.05-darwin 2.1.148

pkgs.claude-code-bin

Agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster

nixos-unstable 2.1.148
- nixpkgs-unstable 2.1.172
- nixos-unstable-small 2.1.172
nixos-26.05 2.1.148
- nixos-26.05-small 2.1.148
- nixpkgs-26.05-darwin 2.1.148

Ignored packages (6)

pkgs.claude-code-acp

None

pkgs.claude-code-router

Tool to route Claude Code requests to different models and customize any request

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-26.05 2.0.0
- nixos-26.05-small 2.0.0
- nixpkgs-26.05-darwin 2.0.0

pkgs.gnomeExtensions.claude-code-usage

Display Claude Code usage in the top panel. This extension uses anthropic.com services. This extension is not affiliated, funded, or in any way associated with Claude.

nixos-unstable 4
- nixpkgs-unstable 4
- nixos-unstable-small 4
nixos-26.05 4
- nixos-26.05-small 4
- nixpkgs-26.05-darwin 4

pkgs.gnomeExtensions.claude-code-switcher

A GNOME shell extension for quickly switching Claude Code API providers with enhanced performance and reliability.

nixos-unstable 13
- nixpkgs-unstable 13
- nixos-unstable-small 13
nixos-26.05 13
- nixos-26.05-small 13
- nixpkgs-26.05-darwin 13

pkgs.vscode-extensions.anthropic.claude-code

Harness the power of Claude Code without leaving your IDE

nixos-unstable 2.1.148
- nixpkgs-unstable 2.1.172
- nixos-unstable-small 2.1.172
nixos-26.05 2.1.148
- nixos-26.05-small 2.1.148
- nixpkgs-26.05-darwin 2.1.148

pkgs.gnomeExtensions.claude-code-usage-indicator

Shows remaining time and usage percentage for Claude Code sessions in the top panel. Displays format like '3h 12m (30%)' showing both time remaining and percentage consumed. Automatically refreshes every 5 minutes.

nixos-unstable 3
- nixpkgs-unstable 3
- nixos-unstable-small 3
nixos-26.05 3
- nixos-26.05-small 3
- nixpkgs-26.05-darwin 3

Package maintainers

@omarjatoi Omar Jatoi
@malob Malo Bourgon <mbourgon@gmail.com>
@markus1189 Markus Hauck <markus1189@gmail.com>
@xiaoxiangmoe ZHAO JinXiang <xiaoxiangmoe@gmail.com>
@mirkolenz Mirko Lenz <mirko@mirkolenz.com>
@oskarwires Oskar <me@usbcable.io>
@adeci Alex Decious <alex.decious@gmail.com>

Needs a backport to 26.05

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1974