Flawed Permission Logic Enabled Access Bypass
A supply chain vulnerability was discovered in the GitHub Actions workflow used by Claude Code, Anthropic’s AI coding assistant. Security researcher RyotaK identified that the workflow’s checkWritePermissions function incorrectly trusted any automated bot account, regardless of its actual write access to the repository. Because GitHub Apps automatically have read access to public repositories and can open issues or pull requests using only an installation token, an attacker could bypass the intended permission restriction.
The attack required only a few steps. An attacker would create a malicious GitHub App, install it on a repository they control, and then use its token to open an issue or pull request on a target public repository. The workflow would then process content from this unauthenticated bot account, granting it the same privileges as a legitimate contributor.
Exploitation Through Prompt Injection
Once the permission check was bypassed, an attacker could inject a malicious description into the issue or pull request. This description would appear to Claude Code as a fake error message, triggering embedded commands without additional user approval. The tool allows certain system commands like cat and head to run automatically, giving the attacker access to environment variables from the workflow process.
Among the exposed variables were the credentials needed to request an OIDC token from GitHub Actions. With this token, an attacker could obtain a privileged installation token for the Claude GitHub App, exfiltrate secrets, steal OIDC tokens, and push malicious code to any downstream repository depending on the Claude Code workflow. The vulnerability was patched in Claude Code GitHub Actions version 1.0.94.
Source: Cyber Security News
