7 Vulnerabilities in Claude Code's Internal Architecture
Static Analysis of a Leaked AI Assistant CLI — Permission Bypass, SSRF, Prompt Injection, and More
Advanced22 min read2026-03
01_THE_CHALLENGE
The leaked source (cli.js.map) exposed the full TypeScript architecture of an AI CLI handling arbitrary file system access, shell execution, and external HTTP requests — all gated behind a permission system. The challenge: systematically audit every trust boundary before the window closed.
02_THE_SOLUTION
Methodical layer-by-layer static analysis:
• Prompt injection defense — CLAUDE.md include chain, nested file loading
• Permission system — TOCTOU races, symlink resolution, classifier gaps
• Tool execution — WebFetch SSRF vectors, Skill tool argument injection
• Infrastructure — upstream proxy CA certificate trust
• Information disclosure — undercover mode sanitization gaps
Each finding includes a reproduction path, CVSS-style impact assessment, and a concrete fix proposal.
03_IMPACT_METRICS
Technical_Impact
- 7 vulnerabilities identified across 4 distinct attack layers
- CC-001: CLAUDE.md nested includes enable prompt injection via repo content
- CC-002: Symlink resolution TOCTOU — permission check and file read are non-atomic
- CC-003: Upstream proxy CA injection — attacker-controlled cert trusted at CCR layer
- CC-004: Bash classifier absent in external builds — permission bypass in non-Anthropic forks
- CC-005: WebFetch SSRF via crafted query parameters reaching internal endpoints
- CC-006: Skill tool argument injection — user-supplied args reach prompt without sanitization
- CC-007: Undercover mode leaks partial identity through response phrasing patterns
Business_Impact
- Responsible disclosure filed — no public exploit released
- Research published on Al Bayrouni before any competing analysis
- Demonstrates AI system security auditing as an emerging discipline
- Methodology reusable across any AI CLI with tool execution capabilities
05_TECH_STACK
Security ResearchStatic AnalysisPrompt InjectionSSRFPermission SystemsAI SecurityResponsible Disclosure
Want the full technical breakdown?
The wire-format analysis, architecture diagrams, and protocol-level detail live on Al Bayrouni. The contact form is for consulting and engagement discussions.