Anthropic Fixes Claude Code GitHub Action Flaw Allowing Remote Repository Takeover

How the Bypass Worked

A security researcher discovered a critical flaw in Anthropic’s Claude Code GitHub Action that could allow an attacker to compromise public repositories simply by opening a malicious issue. The vulnerability stemmed from a broken permission check. The action was designed to only allow users with write access to trigger it, but it made an exception for any actor whose name ended with “[bot]” under the assumption that GitHub Apps are trusted. In reality, anyone can register a GitHub App, install it on a repository they own, and use its token to open issues or pull requests on any public repository. When the action encountered a bot, it bypassed the access control check and processed the attacker’s content.

Contents

How the Bypass Worked Impact and Scope

The attack then leveraged indirect prompt injection, a technique where malicious instructions are hidden inside content that an AI model reads. The researcher, RyotaK from GMO Flatt Security, crafted an issue that appeared to be an error message. Through careful refinement, they convinced Claude Code to “recover” by executing commands tucked inside the issue body. The target was the /proc/self/environ file, which contains environment variables including secrets. Though Claude Code has guards against reading this file, the researcher found a way to bypass the protection and have Claude write the stolen environment variables back into the issue, making them visible to the attacker.

Impact and Scope

Because Anthropic’s own official GitHub Action repository used the same vulnerable workflow, a successful attack could have pushed malicious code directly into the action itself. That would have compromised every downstream project that pulls in the Claude Code GitHub Action. The vulnerability was reported to Anthropic in January, and the company released a fix within four days, with additional hardening throughout the spring. The patches are included in claude-code-action version 1.0.94. Anthropic rated the issue at 7.8 under the CVSS v4.0 scoring system and paid a bug bounty to the researcher. The flaw highlights the risks of granting broad permissions to AI agents in CI/CD pipelines, especially when access control logic makes assumptions about the trustworthiness of automated actors.

Source: The Hacker News

Anthropic Fixes Claude Code GitHub Action Flaw Allowing Remote Repository Takeover

A permission bypass in the Claude Code GitHub Action let attackers inject malicious prompts through GitHub issues to steal repository secrets.

How the Bypass Worked

Impact and Scope

Trending

Most SOCs See Little Return from AI Investments, Study Finds

Self-Replicating Miasma Worm Breaches Dozens of Microsoft GitHub Repositories

Active Attacks Target Remote Code Execution Flaw in Everest Forms WordPress Plugin

Critical Path Validation Flaw in Microsoft Edge Opens Door to Remote Code Execution

Windows Driver Update Policies Overridden by Microsoft 365 Outage

Related Stories

Fake Sicoob SDK on NuGet Steals Banking Credentials via Telemetry Abuse

Legacy Sitecore Flaw Exploited to Deliver WeepSteel Reconnaissance Malware

Microsoft Edge Halts Preloading of Stored Credentials at Startup

Edge Device Breach: F5 BIG-IP Exploited as Gateway to Enterprise Networks