Executive Summary

The vulnerability exists in the Claude SDK for TypeScript versions from 0.79.0 to before 0.91.1, specifically in the BetaLocalFilesystemMemoryTool. This tool created memory files and directories with default Node.js permissions (0o666 for files and 0o777 for directories), which made these files world-readable on systems with a standard umask and even world-writable in environments with permissive umasks, such as many Docker base images.

Because of these permissive permissions, a local attacker on a shared host could read the persisted agent state. In containerized deployments, an attacker could modify these memory files, potentially influencing the behavior of the model in subsequent operations.

This issue was fixed in version 0.91.1 of the SDK.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing a local attacker on a shared host to read sensitive persisted agent state data due to overly permissive file permissions.

In containerized environments, an attacker could modify memory files, which might influence the behavior of the AI model, potentially causing it to act in unintended or malicious ways.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade the Claude SDK for TypeScript to version 0.91.1 or later, where the issue has been patched.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows local attackers on shared hosts to read persisted agent state and, in containerized environments, to modify memory files influencing model behavior. This exposure of potentially sensitive data due to world-readable and world-writable file permissions could lead to unauthorized data access.

Such unauthorized access and modification risks may impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information to ensure confidentiality and integrity.

However, the CVE description does not explicitly mention compliance impacts or specific regulatory considerations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the BetaLocalFilesystemMemoryTool in the Anthropic TypeScript SDK creating files and directories with overly permissive permissions, making them world-readable or writable depending on the environment.

To detect this vulnerability on your system, you can check for files and directories created by the BetaLocalFilesystemMemoryTool that have permissions allowing world-read or world-write access.

For example, you can use the following commands on a Unix-like system to find such files and directories:

• Find files with world-readable or world-writable permissions (mode 666 or more permissive): find /path/to/your/app -type f \( -perm -o+r -o -perm -o+w \) -ls
• Find directories with world-readable or world-writable permissions (mode 777 or more permissive): find /path/to/your/app -type d \( -perm -o+r -o -perm -o+w \) -ls

Replace /path/to/your/app with the directory where the Anthropic TypeScript SDK or your application stores its memory files.

Additionally, verifying the installed version of the Anthropic TypeScript SDK can help determine if the vulnerable versions (0.79.0 to before 0.91.1) are in use.

• Check the installed SDK version: npm list anthropic-typescript-sdk

Useful 0 Not Useful 0