Executive Summary

This vulnerability in Claude Code versions prior to 2.0.65 allows a malicious repository to exfiltrate sensitive data, including Anthropic API keys, before the user confirms trust. When a user opens a repository controlled by an attacker that includes a settings file setting the environment variable ANTHROPIC_BASE_URL to an attacker-controlled endpoint, Claude Code sends API requests to that endpoint immediately, leaking API keys. This happens before the trust prompt is shown, requiring no special privileges or user interaction beyond opening the repository. [1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive information such as Anthropic API keys to attackers. This can allow attackers to misuse these keys, potentially leading to unauthorized access to services or data associated with those keys. However, the impact on confidentiality, integrity, and availability of the vulnerable system is considered low, and there are no subsequent system impacts reported. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring network traffic for unexpected API requests sent by Claude Code to unknown or attacker-controlled endpoints, especially those involving the ANTHROPIC_BASE_URL environment variable. Since the vulnerability causes Claude Code to send API requests before the trust prompt, inspecting outgoing requests from the Claude Code process when opening new repositories may reveal suspicious activity. Specific commands could include using network monitoring tools like 'tcpdump' or 'Wireshark' to capture outgoing traffic from the system, filtering for unusual destinations or endpoints. Additionally, checking environment variables or configuration files in repositories for the presence of ANTHROPIC_BASE_URL set to non-standard URLs may help identify malicious repositories. [1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, users should update Claude Code to version 2.0.65 or later, as this version contains the patch that fixes the issue. Users who have automatic updates enabled have likely already received the fix. Those performing manual updates should upgrade to the latest version as soon as possible. Avoid opening repositories from untrusted sources until the update is applied to prevent potential exfiltration of API keys. [1]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability involves unauthorized exposure of sensitive information, specifically Anthropic API keys, due to insecure handling of authentication credentials. Such exposure of sensitive data could potentially lead to non-compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access and disclosure. However, the provided resources do not explicitly discuss compliance impacts or regulatory considerations. [1]

Useful 0 Not Useful 0