Claude — Security Profile
Product Overview
| Component | Description | Attack Surface |
|---|---|---|
| Claude Chat (claude.ai) | Web-based conversational AI with memory, file upload, tool use, web search | Prompt injection, memory manipulation, data extraction, jailbreaking |
| Claude API | Developer API for integrating Claude into applications | Prompt injection via applications, data extraction, model extraction |
| Claude Code | CLI-based agentic coding tool with file system access, shell execution, MCP support | RCE via config injection, command injection, API key theft, path traversal |
| Claude Code IDE Extensions | VS Code / JetBrains extensions connecting IDE to Claude Code terminal | WebSocket auth bypass, local file read, code execution |
| Claude MCP Ecosystem | Model Context Protocol servers and tooling | CSRF, RCE via MCP Inspector, directory traversal, symlink bypass |
Claude Chat & API
Vulnerability Classes
Prompt injection — Claude is susceptible to both direct and indirect prompt injection. Like all LLMs, it cannot architecturally distinguish between developer instructions and attacker-injected instructions in the context window.
Memory manipulation — Claude's persistent memory feature (remembers details across conversations) can be poisoned via indirect prompt injection. A malicious website summarized by Claude can inject false memories that persist across sessions and devices.
System prompt extraction — Claude's system prompts can be extracted via standard techniques (translation, encoding, roleplay, summarization). Anthropic trains against direct extraction but creative approaches succeed.
Training data memorization — Like all large models, Claude memorizes portions of its training data. Divergence attacks and prefix prompting can trigger reproduction of memorized content.
Known Vulnerability Patterns
| Pattern | Description | Impact |
|---|---|---|
| Indirect injection via web browse | Websites with hidden instructions manipulate Claude when it browses them | Response hijacking, data exfiltration |
| Memory persistence injection | Poisoned memory entries persist across conversations | Long-term manipulation, false context |
| Tool abuse via injection | Prompt injection causes Claude to misuse connected tools (code execution, file access) | Unauthorized actions, data leakage |
| Cross-modal injection | Instructions hidden in images processed by Claude's vision | Invisible prompt injection |
Recommended Controls
| Control | Implementation |
|---|---|
| Monitor memory entries | Periodically review Claude's stored memories for unexpected entries |
| Restrict tool permissions | Limit which tools Claude can access in your deployment |
| Output filtering | Scan Claude outputs for PII and sensitive data before surfacing to users |
| Input sanitization | Filter user inputs and RAG content for injection patterns |
| Rate limiting | Apply per-user and per-key rate limits on API access |
| Session isolation | Ensure multi-tenant deployments properly isolate user contexts |
Claude Code
Claude Code is the highest-risk Anthropic product from a security perspective due to its direct access to the file system, shell execution, and network connectivity.
Architecture
Claude Code operates as a CLI tool that:
- Reads and writes files on the local filesystem
- Executes shell commands (with a whitelist/approval system)
- Connects to MCP servers for external tool integration
- Authenticates to Anthropic's API using an API key
- Reads project configuration from
.claude/settings.json
CVE Table
| CVE | Severity | Component | Description | Fixed In | Control |
|---|---|---|---|---|---|
| CVE-2025-54794 | 7.3 (High) | Path validation | Path restriction bypass via naïve prefix-based validation. Allowed access to files outside the configured working directory. Same flaw pattern as CVE-2025-53110 in Anthropic's Filesystem MCP Server. | v0.2.111 | Enable directory containment checks; run Claude Code in containers with filesystem isolation |
| CVE-2025-54795 | 8.7 (High) | Command execution | Command injection via whitelisted echo command. Payload: echo "\"; malicious_command; echo \"" bypassed confirmation prompt. Discovered via "InversePrompt" technique using Claude itself. | v1.0.20 | Upgrade immediately; audit command execution logs for injection patterns; sandbox Claude Code execution |
| CVE-2025-59041 | High | Git config parsing | Code injection via malicious git config user.email value. Claude Code executes a command templated with git email at startup — before the workspace trust dialog appears. | v1.0.105 | Monitor .gitconfig for shell metacharacters; implement file integrity monitoring on git configs |
| CVE-2025-59536 | 8.7 (High) | Hooks + MCP config | Two related flaws. (1) Malicious Claude Hooks in .claude/settings.json execute arbitrary shell commands on project open. (2) MCP servers configured in repo settings auto-execute before user approval when enableAllProjectMcpServers is set. | Patched (2025) | Never open untrusted repos with Claude Code; audit .claude/settings.json in all cloned repos; require approval for all MCP servers |
| CVE-2026-21852 | 5.3 (Medium) | Environment variables | API key exfiltration via ANTHROPIC_BASE_URL override in project config. All API traffic including auth headers redirected to attacker-controlled server before trust dialog appears. | v2.0.65 | Pin ANTHROPIC_BASE_URL at the system level; monitor for unexpected API endpoint changes; rotate API keys after opening untrusted projects |
Attack Chains
Supply chain via repository:
Attacker commits malicious .claude/settings.json to a shared repo
→ Developer clones repo and opens it with Claude Code
→ Hooks execute arbitrary commands before trust dialog
→ Attacker achieves RCE with developer's privileges
→ Lateral movement to production systems, credential theft
API key theft:
Attacker sets ANTHROPIC_BASE_URL in .claude/settings.json
→ Developer opens project
→ All API calls (including auth header with API key) route to attacker's server
→ Attacker captures API key before trust dialog appears
→ Attacker uses key to access the developer's Anthropic workspace
Hardening Recommendations
- Always update Claude Code — versions prior to 1.0.24 are deprecated and force-updated
- Never open untrusted repositories with Claude Code without reviewing
.claude/directory first - Run in isolated environments — containers or VMs for untrusted projects
- Audit
.claude/settings.jsonin every repo before opening — treat it as executable code - Pin API endpoints at the environment level, not the project level
- Rotate API keys if you've opened an untrusted project
- Monitor process execution — alert on unexpected child processes spawned by Claude Code
Claude Code IDE Extensions (VS Code / JetBrains)
CVE Table
| CVE | Severity | Description | Fixed In | Control |
|---|---|---|---|---|
| CVE-2025-52882 | 8.8 (High) | WebSocket authentication bypass. The IDE extension runs a local WebSocket server for MCP communication with no auth token. Any website visited in a browser could connect to the WebSocket server on localhost, read local files, and execute code in Jupyter notebooks. | v1.0.24 | Update extensions immediately; verify extension version in VS Code; restrict localhost WebSocket access via firewall rules |
Context
This vulnerability follows a broader pattern in MCP tooling. Related CVEs in the MCP ecosystem include:
| CVE | Component | Severity | Description |
|---|---|---|---|
| CVE-2025-49596 | MCP Inspector | 9.4 (Critical) | RCE via browser-based CSRF attack against MCP Inspector |
| CVE-2025-53109 | Filesystem MCP Server | 8.4 (High) | Symbolic link bypass — escape filesystem sandbox |
| CVE-2025-53110 | Filesystem MCP Server | 7.3 (High) | Directory containment bypass via path manipulation |
Hardening Recommendations
- Keep IDE extensions on the latest version — restart IDE after updates
- Disable MCP integrations you don't actively use
- Run development environments in containers when working with untrusted projects
- Monitor for unauthorized localhost WebSocket connections
What to Test in Engagements
Claude Chat / API Red Team Checklist
□ System prompt extraction (translation, encoding, summarization, roleplay)
□ Direct jailbreak testing (persona, multi-turn, encoding, GCG-style suffixes)
□ Indirect prompt injection via documents, web content, images
□ Memory manipulation — can you inject persistent false memories?
□ Tool abuse — can injection trigger unauthorized tool calls?
□ Cross-user isolation — multi-tenant data leakage
□ Training data extraction — prefix prompting, divergence attacks
□ PII in outputs — probe for memorized personal information
Claude Code Red Team Checklist
□ Review .claude/settings.json for command injection opportunities
□ Test Hooks execution on project open
□ Test MCP server auto-approval bypass
□ Test ANTHROPIC_BASE_URL redirection for API key capture
□ Test path traversal outside configured working directory
□ Test command injection via whitelisted commands (echo, etc.)
□ Test git config injection (user.email with shell metacharacters)
□ Test prompt injection via project files read by Claude Code
□ Verify trust dialog cannot be bypassed or dismissed programmatically