Circumventing Security in Claude Code: Misconfiguration and Denial-of-Service

Finding #1: Bypassing User Approval to run arbitrary commands

Claude Code, along with Gemini CLI and other development agents with auto-approval features, provide automatic approval mechanisms for command executions, enabling seamless developer experience. However, this feature unintentionally grants attackers the potential to execute malicious commands without explicit user consent.

Specifically, legitimate Unix binaries like the find command can execute arbitrary code through particular flags (-exec, -execdir, -ok, -okdir). For example:

find . -exec sh -c "python -m http.server 8080" +

This command transitions from a harmless file search to unauthorized code execution, entirely bypassing user approval processes.

Finding #2: Denial-of-Service (DoS) vulnerability via Malformed Inputs

The second concept, a clear vulnerability, arises from Claude Code’s handling of environment variable expansions. A crafted input such as:

echo ${PATH}

can trigger internal processing errors due to incorrect or incomplete variable syntax, resulting in an internal exception labeled "Bad substitution". This error leads directly to a crash of Claude Code, constituting a DoS vulnerability.

Technical Analysis

Internally, Claude Code expands environment variables using a nested function designed to process tokens within command strings. Malformed or unexpected inputs prompt this function to raise unhandled exceptions, causing service disruptions.

Disclosure and Vendor Response

Kodem responsibly disclosed both vulnerabilities to Anthropic, the creators of Claude Code. Anthropic promptly acknowledged and replicated both issues. Despite the clear practical implications, there remains ongoing discussion regarding the classification of these behaviors as vulnerabilities versus intended functionality.

Recommendations for Security Researchers and Product Security Teams

These findings highlight the critical need for careful configuration and robust input validation mechanisms within LLM-based coding agents. Security researchers should proactively investigate similar patterns across comparable platforms, such as Gemini CLI, to preemptively address and mitigate these security concerns.

Product security teams must implement rigorous approval policies and strengthen internal error-handling mechanisms to prevent both unauthorized command execution and service disruption vulnerabilities.

References

Kodem. (2025). Misconfigurations and Denial-of-Service vulnerabilities in Claude Code. Internal research report.