Arbitrary Command Injection Affecting @anthropic-ai/claude-code package, versions >=2.1.63 <2.1.84
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Arbitrary Command Injection vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-ANTHROPICAICLAUDECODE-16301567
- published27 Apr 2026
- disclosed24 Apr 2026
- creditMasato Anzai
Introduced: 24 Apr 2026
NewCVE-2026-40068 (opens in a new tab)How to fix?
Upgrade @anthropic-ai/claude-code to version 2.1.84 or higher.
Overview
@anthropic-ai/claude-code is an Use Claude, Anthropic's AI assistant, right from your terminal. Claude can understand your codebase, edit files, run terminal commands, and handle entire workflows for you.
Affected versions of this package are vulnerable to Arbitrary Command Injection via the commondir handling process. An attacker can execute arbitrary code by crafting a malicious repository with a commondir file that points to a previously trusted path, thereby bypassing the trust dialog and triggering malicious hooks in .claude/settings.json.
Note: This is only exploitable if the victim clones the malicious repository, runs the application within it, and the attacker knows or guesses a path the victim has already trusted.