Listen to this Post
The `/copy` command in Claude Code versions 2.1.59 through 2.1.127 writes the assistant’s response to a hardcoded, predictable temporary file path: /tmp/claude/response.md. The file is created with world-readable permissions (0644) inside a world-traversable directory (0755), without any UID-based isolation, random filename component, or symlink protection. This combination of flaws enables two distinct attack vectors on multi‑user systems.
First, because the file is world‑readable and its path is fully predictable, any local unprivileged user on the same machine can read the contents of `/tmp/claude/response.md` immediately after a privileged user executes the `/copy` command. The response may contain sensitive information such as API keys, credentials, internal configuration snippets, or proprietary source code that Claude included in its output.
Second, the static path allows a local attacker to pre‑create the `/tmp/claude/` directory and place a symbolic link at `/tmp/claude/response.md` pointing to any file writable by the target user (for example, ~/.bashrc, ~/.ssh/authorized_keys, or system configuration files). When the privileged user later runs /copy, Claude Code follows the symlink and overwrites the attacker‑chosen file with the response text. This grants the attacker arbitrary file write capability within the privileges of the victim user.
The vulnerability requires a local unprivileged account on the same system and a privileged user who executes the `/copy` command. No remote exploitation is possible, but the impact is significant on shared development machines, CI/CD runners, or any environment where multiple users share the same host. The issue was discovered and reported via HackerOne by c_h4ck_0. Anthropic addressed the flaw in version 2.1.128 by introducing UID‑specific temporary directories with random names and proper permission restrictions. Users on the auto‑update channel have already received the fix, while manual updaters should upgrade immediately.
DailyCVE Form:
Platform: Claude Code CLI
Version: 2.1.59–2.1.127
Vulnerability: Insecure Temporary File
Severity: Moderate (CVSS 5.5)
Date: June 25, 2026
Prediction: Patch already released (2.1.128)
What Undercode Say (Analytics & Commands)
Check world‑readable temporary file after `/copy`:
ls -la /tmp/claude/response.md Expected output: -rw-r--r-- 1 victim victim 1234 Jun 25 10:00 /tmp/claude/response.md
Read the response as an unprivileged user:
cat /tmp/claude/response.md
Simulate symlink‑based file overwrite (attacker pre‑creates the link):
Attacker creates the directory and a symlink to a target file mkdir -p /tmp/claude ln -sf /home/victim/.ssh/authorized_keys /tmp/claude/response.md When victim runs /copy, the response overwrites authorized_keys
Check if the symlink is followed (proof of concept):
Attacker monitors the target file inotifywait -m /home/victim/.ssh/authorized_keys When /copy is executed, a write event is triggered
Verify the fix in patched versions (2.1.128+):
The new temporary path should be UID‑specific and random ls -la /tmp/claude-/response-.md Example: /tmp/claude-1000-a7f3/response-9e2b.md (mode 0600)
Exploit
- Reconnaissance – The attacker identifies that the target system runs Claude Code and that the victim user frequently uses the `/copy` command.
- Symlink planting – The attacker creates the `/tmp/claude/` directory (if not already present) and places a symlink named `response.md` pointing to a critical file owned by the victim, such as
~/.bashrc,~/.ssh/authorized_keys, or `/etc/sudoers` (if the victim has write privileges). - Trigger – The attacker waits for the victim to execute `/copy` in Claude Code. The command writes the response to
/tmp/claude/response.md, which the kernel resolves through the symlink, overwriting the target file with the response content. - Post‑exploitation – The overwritten file may contain malicious shell commands (if `~/.bashrc` is targeted) or grant the attacker SSH access (if `authorized_keys` is overwritten with the attacker’s public key), effectively achieving privilege escalation or persistent access.
Protection
- Upgrade immediately – Update to Claude Code version 2.1.128 or later. Users on the auto‑update channel are already protected.
- Use UID‑isolated temp directories – The fixed version creates temporary files under a path like `/tmp/claude-
– /response- .md` with permissions `0600` and the directory with 0700, preventing cross‑user access. - Employ symlink protection – The patch validates that the target path is not a symlink before writing, or uses `O_NOFOLLOW` / `O_EXCL` flags to avoid following symbolic links.
- Restrict `/tmp` permissions – As a workaround, system administrators can mount `/tmp` with the `nosuid` and `nodev` options and set the sticky bit (
chmod 1777 /tmp) to limit symlink attacks, though this does not fully mitigate the issue. - Audit logs – Monitor for unexpected writes to `/tmp/claude/response.md` or creation of symlinks in `/tmp/claude/` to detect potential exploitation attempts.
Impact
- Information Disclosure – Any local user can read the responses of a privileged Claude Code user, potentially exposing secrets, credentials, API keys, or sensitive source code that the AI included in its output.
- Arbitrary File Write – By planting a symlink, an attacker can overwrite any file writable by the victim user, leading to:
- Privilege Escalation – Overwriting `~/.ssh/authorized_keys` to add the attacker’s SSH public key, or modifying `~/.bashrc` to execute malicious commands on the next login.
- System Compromise – On systems where the victim has sudo privileges, overwriting `/etc/sudoers` or other system files could grant the attacker root access.
- Data Corruption – Critical application or configuration files can be destroyed, causing denial of service or unpredictable behavior.
- CVSS Score – 5.5 (Moderate) due to the requirement of local access and user interaction, but the impact is severe in shared environments.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
