The “Fifty Command” Limit: How a Single Line of Code Paralyses Anthropic’s Claude Code Security

Security researchers from the Tel Aviv-based firm Adversa have unearthed a vulnerability within Claude Code—the autonomous artificial intelligence programming agent authored by Anthropic. By enticing the agent with a sufficiently protracted sequence of subcommands, the defensive interdiction protocols are effectively paralyzed, granting a digital marauder the opportunity to orchestrate an offensive via the injection of malignant directives.

Claude Code possesses the capacity to restrict access to potentially hazardous instruments. For instance, an administrator might prohibit the agent from utilizing curl—a utility for network invocations—by inscribing a corresponding mandate within the ~/.claude/settings.json configuration file. While this appears to be a robust fortification, Adversa discovered a curious annotation within the agent’s source code, which recently leaked into the public domain.

Within the bashPermissions.ts archive, the constant MAX_SUBCOMMANDS_FOR_SECURITY_CHECK = 50 was identified. This defines a rigid threshold: the agent interrogates no more than fifty subcommands within a single string for compliance with security mandates. Should the subcommands exceed this numerical limit, Claude Code—rather than enacting an autonomous blockade—merely solicits the user’s authorization. A commentary within the code elucidates that fifty represents a “generous limit” for conventional operations. While this holds true for human-authored commands, the architects failed to envision a scenario wherein a venomous CLAUDE.md file coerces the AI into autonomously generating a pipeline of fifty or more subcommands, masquerading as a legitimate build process.

The Adversa vanguard validated this frailty empirically; the researchers constructed a bash directive composed of fifty vacant true subcommands followed by a singular curl invocation. The agent did not sequester the curl command but instead requested permission from the patron. During protracted developmental sessions, architects frequently validate such solicitations reflexively—or may even enable the --dangerously-skip-permissions mode, under which the agent operates with absolute sovereignty. CI/CD pipelines that execute Claude Code in non-interactive modes remain similarly vulnerable for the same reason.

Notably, Anthropic already possesses a viable resolution. The source code incorporates a tree-sitter parser capable of rigorously analyzing bash directives of any complexity. Furthermore, according to Adversa’s findings, the vulnerability could be neutralized by altering a solitary line in the bashPermissions.ts file—specifically, transmuting the behavior key value from ask to deny. This rectification would have sealed the breach, yet the modification has hithertho failed to manifest in the public iterations of Claude Code. Adversa maintains that this represents a fundamental failure in the security policy enforcement mechanism, which may carry significant implications regarding regulatory compliance.