GHSA-ph6w-f82w-28w6: Claude Code Vulnerable to Arbitrary Code Execution Due to Insufficient Startup Warning
When Claude Code was started in a new directory, it displayed a warning asking, “Do you trust the files in this folder?”. This warning did not properly document that selecting “Yes, proceed” would allow Claude Code to execute files in the folder without additional confirmation. This may not have been clear to a user so we have updated the warning to clarify this functionality.
Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version.
Thank you to https://hackerone.com/avivdon for reporting this issue!
References
Code Behaviors & Features
Detect and mitigate GHSA-ph6w-f82w-28w6 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →