Security firm Adversa has disclosed a vulnerability in Claude Code where the tool's deny rules — designed to block dangerous operations like network requests via curl — silently stop enforcing when a command chain exceeds 50 subcommands. The issue stems from a hard-coded variable MAX_SUBCOMMANDS_FOR_SECURITY_CHECK = 50 in the bashPermissions.ts file, documented internally as Anthropic issue CC-643 with the reasoning that '50 is a generous allowance for legitimate usage.'
The bypass mechanism is straightforward. An attacker can craft a command chain combining 50 no-op 'true' commands followed by a restricted operation like curl. After the 50th subcommand, Claude Code falls back from enforcing deny rules to simply asking the user for permission — a critical difference in CI/CD pipelines running non-interactively where no human is present to refuse. Adversa's proof-of-concept demonstrated that malicious CLAUDE.md files could instruct the AI to generate long command pipelines that silently circumvent security restrictions.
The most striking aspect of the disclosure is that Anthropic had already developed a fix. A tree-sitter parser exists in the source code but was not enabled in public builds. The Register reported that a single line change — switching the behaviour key from 'ask' to 'deny' at bashPermissions.ts line 2174 — would resolve the issue entirely. The vulnerability was discovered after Anthropic's accidental source code leak exposed the internal implementation details. As of Claude Code v2.1.90, the vulnerability appears to have been patched.
For context engineers running Claude Code in automated workflows, this is a reminder that AI coding tools operate with significant system access and that security boundaries must be verified rather than assumed. The incident also highlights the importance of the emerging AI agent security ecosystem — tools like AgentMon and Adversa's research are becoming essential as autonomous coding agents gain broader deployment across enterprise environments.
