Cluade Code has a Path Restriction Bypass via ZSH Clobber which Allows Arbitrary File Writes
Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the user to use ZSH and the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.74.
Affected products
- ==< 2.0.74
Matching in nixpkgs
pkgs.claude-code
An agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster
pkgs.claude-code-acp
ACP-compatible coding agent powered by the Claude Code SDK
pkgs.claude-code-bin
Agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster
pkgs.claude-code-router
Tool to route Claude Code requests to different models and customize any request
pkgs.gnomeExtensions.claude-code-switcher
A GNOME shell extension for quickly switching Claude Code API providers with enhanced performance and reliability.
pkgs.vscode-extensions.anthropic.claude-code
Harness the power of Claude Code without leaving your IDE
pkgs.gnomeExtensions.claude-code-usage-indicator
Shows remaining time and usage percentage for Claude Code sessions in the top panel. Displays format like '3h 12m (30%)' showing both time remaining and percentage consumed. Automatically refreshes every 5 minutes.
Package maintainers
-
@malob Malo Bourgon <mbourgon@gmail.com>
-
@markus1189 Markus Hauck <markus1189@gmail.com>
-
@omarjatoi Omar Jatoi
-
@storopoli Jose Storopoli <jose@storopoli.com>
-
@mirkolenz Mirko Lenz <mirko@mirkolenz.com>
-
@xiaoxiangmoe ZHAO JinXiang <xiaoxiangmoe@gmail.com>
-
@Prince213 Sizhe Zhao <prc.zhao@outlook.com>
-
@honnip Jung seungwoo <me@honnip.page>