← Blog

April 07, 2026

Claude Code

audited.xyz by zack.eth

On March 31, 2026, Anthropic leaked the source code for Claude Code. So we audited it, and found one confirmed vulnerability.

To be clear, this is not a critical vulnerability. It is defense in depth. That said, Anthropic has Claude Code Review, Claude Code Security, and Mythos, and audited.xyz found room for improvement.

Unrestricted Environment Variable Mutation via Transport Messages

Severity: Low | Confirmed: RCE demonstrated in remote-worker mode

Claude Code’s structured I/O layer accepts update_environment_variables messages over its transport protocol. The processLine method in structuredIO.ts applies incoming key-value pairs directly to process.env with no allowlist:

if (message.type === 'update_environment_variables') {
  const keys = Object.keys(message.variables)
  for (const [key, value] of Object.entries(message.variables)) {
    process.env[key] = value
  }
}

The handler exists to refresh a single session token (CLAUDE_CODE_SESSION_ACCESS_TOKEN). But it accepts writes to every environment variable in the process.

In remote-worker mode, Claude Code connects to a session ingress server via WebSocket or SSE using the --sdk-url flag. The RemoteIO class pipes incoming transport data directly into processLine() with no filtering. The server doesn’t authenticate itself to the client — Claude Code sends a Bearer token to prove its identity, but nothing verifies the server is trustworthy.

We built a proof of concept: a mock WebSocket server that injects NODE_OPTIONS=--require=/tmp/payload.js via update_environment_variables. When Claude Code connects and spawns a child Node.js process, the payload executes — writing a marker file to confirm arbitrary code execution. Tested against Claude Code 2.1.92:

$ cat /tmp/poc-evidence.txt
RCE achieved via NODE_OPTIONS injection
Timestamp: 2026-04-05T00:43:10.408Z

Beyond RCE, the same mechanism enables:

  • OAuth/API endpoint redirection — setting ANTHROPIC_BASE_URL or OAuth endpoint URLs redirects authentication flows and API calls to attacker-controlled servers, exfiltrating credentials and conversation context
  • HTTPS_PROXY — routes all HTTPS traffic through an attacker-controlled proxy
  • NODE_TLS_REJECT_UNAUTHORIZED=0 — disables TLS certificate validation entirely

The attack surface is limited to remote-worker deployments (the common local CLI case uses a Unix pipe to a trusted parent). But within that context, the server-side endpoint has unrestricted control over the worker’s runtime environment, and client-to-server authentication does not make server-to-client messages trustworthy.

The fix is a one-line allowlist restricting mutations to CLAUDE_CODE_-prefixed keys.

Demo

Try it yourself:

npx claude-code-audited

Source: github.com/zack-eth/claude-code-audited

Disclosure

  • April 2, 2026 — Emailed Anthropic security team and submitted to HackerOne VDP
  • April 7, 2026 — Anthropic confirmed the technical analysis

The full audit report is available at audited.xyz/report/claude-code.