Nixpkgs security tracker

Untriaged

Permalink CVE-2026-39861

created 1 week ago Activity log

Created suggestion 1 week ago

Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace

Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations outside the workspace. When Claude Code subsequently wrote to a path within such a symlink, its unsandboxed process followed the symlink and wrote to the target location outside the workspace without prompting the user for confirmation. This allowed a sandbox escape where neither the sandboxed command nor the unsandboxed app could independently write outside the workspace, but their combination could write to arbitrary locations, potentially leading to code execution outside the sandbox. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window to trigger sandboxed code execution via prompt injection. Users on standard Claude Code auto-update have received this fix automatically. Users performing manual updates are advised to update to version 2.1.64 or later.

References

https://github.com/anthropics/claude-code/security/advisories/GHSA-vp62-r36r-9xqp x_refsource_CONFIRM

Affected products

claude-code

==< 2.1.64

Matching in nixpkgs

pkgs.claude-code

Agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster

nixos-unstable 2.1.112
- nixpkgs-unstable 2.1.107
- nixos-unstable-small 2.1.112
nixos-25.11 2.1.81
- nixos-25.11-small 2.1.81
- nixpkgs-25.11-darwin 2.1.81

pkgs.claude-code-acp

ACP-compatible coding agent powered by the Claude Code SDK

nixos-25.11 0.10.6
- nixos-25.11-small 0.10.6
- nixpkgs-25.11-darwin 0.10.6

pkgs.claude-code-bin

Agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster

nixos-unstable 2.1.114
- nixpkgs-unstable 2.1.107
- nixos-unstable-small 2.1.114
nixos-25.11 2.1.81
- nixos-25.11-small 2.1.81
- nixpkgs-25.11-darwin 2.1.81

pkgs.claude-code-router

Tool to route Claude Code requests to different models and customize any request

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-25.11 1.0.64
- nixos-25.11-small 1.0.64
- nixpkgs-25.11-darwin 1.0.64

pkgs.gnomeExtensions.claude-code-usage

Display Claude Code usage in the top panel. This extension uses anthropic.com services. This extension is not affiliated, funded, or in any way associated with Claude.

nixos-unstable 4
- nixpkgs-unstable 4
- nixos-unstable-small 4

pkgs.gnomeExtensions.claude-code-switcher

A GNOME shell extension for quickly switching Claude Code API providers with enhanced performance and reliability.

nixos-unstable 13
- nixpkgs-unstable 13
- nixos-unstable-small 13
nixos-25.11 13
- nixos-25.11-small 13
- nixpkgs-25.11-darwin 13

pkgs.vscode-extensions.anthropic.claude-code

Harness the power of Claude Code without leaving your IDE

nixos-unstable 2.1.114
- nixpkgs-unstable 2.1.107
- nixos-unstable-small 2.1.114
nixos-25.11 2.1.81
- nixos-25.11-small 2.1.81
- nixpkgs-25.11-darwin 2.1.81

pkgs.gnomeExtensions.claude-code-usage-indicator

Shows remaining time and usage percentage for Claude Code sessions in the top panel. Displays format like '3h 12m (30%)' showing both time remaining and percentage consumed. Automatically refreshes every 5 minutes.

nixos-unstable 3
- nixpkgs-unstable 3
- nixos-unstable-small 3
nixos-25.11 3
- nixos-25.11-small 3
- nixpkgs-25.11-darwin 3

Package maintainers

@markus1189 Markus Hauck <markus1189@gmail.com>
@adeci Alex Decious <alex.decious@gmail.com>
@xiaoxiangmoe ZHAO JinXiang <xiaoxiangmoe@gmail.com>
@malob Malo Bourgon <mbourgon@gmail.com>
@omarjatoi Omar Jatoi
@storopoli Jose Storopoli <jose@storopoli.com>
@mirkolenz Mirko Lenz <mirko@mirkolenz.com>
@Prince213 Sizhe Zhao <prc.zhao@outlook.com>
@honnip Jung seungwoo <me@honnip.page>

Suggestion detail