Listen to this Post
The `BetaLocalFilesystemMemoryTool` in the Anthropic TypeScript SDK creates memory files and directories using Node.js default modes (0o666 for files, `0o777` for directories). This leaves them world-readable on systems with a standard umask and world-writable in permissive umask environments like many Docker base images. A local attacker on a shared host can read persisted agent state, and in containerized deployments, can modify memory files to influence subsequent model behavior.
dailycve form:
Platform: Claude SDK
Version: 0.79.0-0.91.0
Vulnerability: Insecure file permissions
Severity: Medium
date: 2026-04-29
Prediction: Expected Patch 2026-05-15
What Undercode Say:
Security analytics and remediation steps are provided below.
Check current Claude SDK version npm list @anthropic-ai/sdk Check file permissions of memory directories ls -la ~/.claude/memory/ Fix: Update to patched version npm install @anthropic-ai/[email protected] Alternative: Manually set secure umask umask 077
Exploit:
A local attacker on a shared host can read the memory files created by the SDK, exposing persisted agent state. In containerized deployments (e.g., Docker), the attacker can write to these files, altering the model’s behavior in subsequent interactions.
Protection:
- Upgrade to Claude SDK version 0.91.1 or later.
- Set a restrictive umask (e.g., 077) in your environment.
- Run containers with a non-root user and restrict file system access.
- Monitor file permissions of the `.claude/memory/` directory.
Impact:
- Confidentiality: Potentially high. Agent state (e.g., conversation history, tool outputs) could be exposed to unauthorized local users.
- Integrity: Medium in containerized environments. Attackers could modify memory files to influence model behavior.
- Availability: Low. No direct denial-of-service impact, but persisted state could be corrupted.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
