Claude Code bypasses safety rules after 50 chained commands, enabling prompt injection attacks
Claude Code will automatically approve denied commands—like curl—if preceded by 50 or more chained subcommands, according to security firm Adversa. The vulnerability stems from a hard-coded MAX_SUBCOMMANDS_FOR_SECURITY_CHECK limit set to 50 in the source code, after which the system falls back to requesting user permission rather than enforcing deny rules.
Claude Code Bypasses Safety Rules After 50 Chained Commands
AnthropIC's Claude Code will ignore its security deny rules if given a sufficiently long chain of subcommands, enabling attackers to bypass protections against risky operations like network requests. Security firm Adversa discovered the vulnerability following the leak of Claude Code's source code.
The Technical Issue
Claude Code uses deny rules configured in ~/.claude/settings.json to block access to potentially dangerous tools. For example, administrators can prevent curl execution with:
{ "deny": ["Bash(curl:*)"] }
However, the source code file bashPermissions.ts contains a hard-coded limit: MAX_SUBCOMMANDS_FOR_SECURITY_CHECK = 50. After 50 security-relevant subcommands, the system stops enforcing deny rules and instead asks the user for permission.
The code references an internal Anthropic issue (CC-643), with a comment noting that 50 was considered "a generous allowance for legitimate usage." This assumption held true for human-authored commands but failed to account for AI-generated attack chains.
Proof of Concept
Adversa demonstrated the vulnerability with a simple attack: they created a bash command combining 50 no-op "true" subcommands followed by a curl command. Claude Code asked for user authorization instead of denying curl outright—effectively bypassing the configured security policy.
The attack leverages prompt injection through malicious CLAUDE.md files that instruct the AI to generate 50+ subcommand pipelines disguised as legitimate build processes.
Real-World Impact
The vulnerability poses practical risks in two scenarios:
-
Developer approval workflows: When developers grant automatic approval (--dangerously-skip-permissions mode) or reflexively click through after long sessions, the bypass succeeds undetected.
-
CI/CD pipelines: When Claude Code runs in non-interactive mode without human oversight, injected commands bypass security controls entirely.
Status and Fix
Anthropic has already developed a fix internally using a parser called "tree-sitter" that properly validates command chains, but this parser is not included in public builds. Adversa notes that a single-line code change at line 2174 in bashPermissions.ts—switching the "behavior" key from "ask" to "deny"—would immediately resolve this particular vulnerability.
Anthropic did not respond to requests for comment.
What This Means
The vulnerability highlights a systematic problem: security limits designed around human behavior fail when AI-generated inputs can trivially exceed thresholds. The 50-command cap assumed attackers would limit their payload to avoid detection, but AI agents can generate arbitrarily complex command chains within a single prompt.
While the fix is straightforward, the discovery raises broader questions about Claude Code's deployment in automated environments where security assumptions may not hold. Organizations using Claude Code in CI/CD or other automated contexts should treat deny rules as a policy layer only—not a technical enforcement mechanism—until Anthropic patches this issue.
Related Articles
US lifts export controls on Claude Fable 5, Anthropic to restore access July 1
Anthropic will restore access to Claude Fable 5 on July 1, 2026, after the US Department of Commerce lifted export controls that forced the company to disable the model on June 12. The controls were imposed after Amazon researchers allegedly demonstrated that specific prompts could elicit information useful for cyberattacks.
Anthropic's Claude Fable 5 Returns After Trump Administration Lifts Export Controls
Anthropic announced it will begin restoring access to Claude Fable 5 after the Department of Commerce lifted export controls that had blocked foreign nationals from using the model since early June. The consumer-facing model, built on the same underlying technology as Mythos 5 but with additional safeguards, was sidelined following a Trump administration ultimatum over jailbreak concerns.
Claude Sonnet 5 ships with 1M token context and new tokenizer that increases costs 30-40% for English text
Anthropic released Claude Sonnet 5 with a 1 million token context window and 128,000 token maximum output. The model removes traditional sampling parameters and introduces a new tokenizer that generates approximately 30% more tokens than Sonnet 4.6 for the same English text—effectively a significant price increase despite unchanged nominal rates of $3/million input and $15/million output tokens.
Anthropic launches internal drug discovery program for neglected diseases alongside Claude Science product
Anthropic is starting an internal drug discovery program focused on neglected diseases while launching Claude Science, a product designed for pharmaceutical companies. Life sciences head Eric Kauderer-Abrams said the program aims to provide feedback for developing better AI tools for drugmakers.
Comments
Loading...