The issue centres on Claude Code’s permission system, which lets developers block specific actions such as curl or other shell commands that could be used to move data off a machine. According to Adversa AI, which analysed code exposed in Anthropic’s source leak, the public build uses a hard cap of 50 subcommands for security checking. Once that ceiling is crossed, the software falls back to asking for permission rather than enforcing the deny rule across every subcommand. The Register independently reported the same implementation detail after reviewing the leaked code and the associated explanation in bashPermissions. ts.
That matters because Claude Code is designed to operate inside terminals, edit files, run commands and handle parts of software workflows with limited human intervention. Anthropic itself has described the product as a tool where users approve a high share of prompts, and said it introduced “auto mode” partly to reduce approval fatigue. The company has also acknowledged, in its own engineering writing, that agentic coding systems can misfire by taking actions users did not intend, including mishandling branches, credentials and production systems.
Researchers say the newly disclosed weakness could be exploited by wrapping a blocked command inside dozens of benign statements joined by shell operators such as &&, || or;. In that scenario, a developer who believes a deny rule will stop a risky command may instead receive a generic approval request, or permit the sequence under looser workflow settings, without realising the original block is no longer being applied in the same way. Adversa argued that this creates an opening for prompt-injection attacks or data exfiltration attempts, particularly in automated development environments.
The chronology has sharpened industry interest. On March 31, Anthropic confirmed that a release packaging error had exposed a large portion of Claude Code’s internal source code, with the company saying no customer data or credentials were leaked and describing the event as human error rather than an external breach. Within a day, outside researchers had begun mining the leaked code for architectural details and weaknesses. Adversa published its findings on April 1, and the report was then amplified by technology and security outlets.
Anthropic’s position is complicated by the fact that its public material stresses safety as a core design concern. In its March 25 post on Claude Code’s auto mode, the company said permission prompts exist to keep users safe, while also noting that frequent approvals can lead people to stop scrutinising requests. That trade-off is central to the present dispute: the company appears to have tried to reduce performance and usability costs from checking very long compound commands, but critics say the design choice weakened a control users reasonably expected to be absolute.
There is also evidence that deny-rule behaviour has been a recurring pressure point. Anthropic’s Claude Code changelog shows repeated fixes over time for permission-rule matching, wildcard handling, compound-command parsing and other security-related bypasses. Separately, users have logged GitHub issues alleging that sub-agents or tool flows did not reliably inherit deny settings, which points to a broader challenge in keeping policy enforcement consistent across a rapidly evolving coding agent. Those reports are not identical to the newly disclosed 50-subcommand flaw, but together they suggest a product area that remains under active repair.
At the same time, the available public changelog up to version 2.1.92, dated April 4, lists a range of security and permissions fixes but does not clearly identify a specific remediation for the subcommand-cap flaw described by Adversa. That does not prove no fix exists, only that no direct public disclosure of such a fix was evident in the release notes reviewed.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
