Command Injection Affecting claude-statusline package, versions [,1.9.9)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-CLAUDESTATUSLINE-14172733
- published4 Dec 2025
- disclosed2 Dec 2025
- creditUnknown
Introduced: 2 Dec 2025
New CVE NOT AVAILABLE CWE-78 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade claude-statusline to version 1.9.9 or higher.
Overview
claude-statusline is a Real-time session tracking and analytics for Claude Code
Affected versions of this package are vulnerable to Command Injection due to improper handling of subprocess calls. The instance_manager.py module constructs shell commands using string interpolation and passes them to subprocess without proper sanitisation or safe argument handling. An attacker can exploit this by injecting malicious command fragments into parameters processed by these subprocess calls, leading to unauthorized command execution on the host system.