by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
6 packages
- claude-code-acp
- claude-code-bin
- claude-code-router
- gnomeExtensions.claude-code-switcher
- vscode-extensions.anthropic.claude-code
- gnomeExtensions.claude-code-usage-indicator
- @LeSuisse added package claude-code-bin
- @LeSuisse dismissed
Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains
Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), this could have enabled attackers to register domains like modelcontextprotocol.io.example.com that would pass validation. This could enable automatic requests to attacker-controlled domains without user consent, potentially leading to data exfiltration. This issue has been patched in version 1.0.111.
Affected products
- ==< 1.0.111
Matching in nixpkgs
pkgs.claude-code
An agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster
pkgs.claude-code-bin
Agentic coding tool that lives in your terminal, understands your codebase, and helps you code faster
Package maintainers
-
@malob Malo Bourgon <mbourgon@gmail.com>
-
@markus1189 Markus Hauck <markus1189@gmail.com>
-
@omarjatoi Omar Jatoi
-
@mirkolenz Mirko Lenz <mirko@mirkolenz.com>
-
@xiaoxiangmoe ZHAO JinXiang <xiaoxiangmoe@gmail.com>