A critical security flaw has been identified in Anthropic’s Claude Code GitHub Action, potentially allowing attackers to hijack public repositories by exploiting a single GitHub issue. This vulnerability underscores the risks associated with integrating AI tools into development workflows without stringent security measures.
The Claude Code GitHub Action is designed to seamlessly incorporate Anthropic’s AI assistant, Claude, into continuous integration and deployment (CI/CD) pipelines. It automates tasks such as issue triaging, labeling, pull request reviews, and executing slash commands. By default, this action is granted read and write access to a repository’s codebase, issues, pull requests, discussions, and workflow files, necessitating robust security protocols to prevent unauthorized access.
The discovered vulnerability stems from the action’s mechanism for verifying the legitimacy of triggers. Specifically, the action permitted any actor whose username concluded with “[bot]” to initiate workflows, operating under the assumption that such accounts were associated with trusted GitHub Apps. However, this oversight allowed malicious actors to create GitHub Apps, install them on their repositories, and use the associated tokens to open issues or pull requests on public repositories. The action would then recognize these as legitimate triggers, enabling attackers to execute arbitrary code within the target repository’s environment.
Exploiting this flaw involved a technique known as indirect prompt injection. Attackers could craft issue content that appeared as error messages, embedding commands that, when processed by Claude, would execute unintended actions. A notable target was the Linux file /proc/self/environ, which contains environment variables, including sensitive information. By manipulating Claude into accessing this file, attackers could extract secrets and credentials, such as the OpenID Connect (OIDC) token used by GitHub Actions. This token could then be exchanged for a Claude GitHub App installation token with write access, granting attackers control over the repository’s code and workflows.
Security researcher RyotaK from GMO Flatt Security reported this vulnerability to Anthropic in January. The company responded promptly, releasing a fix within four days and implementing additional security enhancements over the following months. The patched version, claude-code-action v1.0.94, addresses the identified issues. Anthropic assigned a Common Vulnerability Scoring System (CVSS) score of 7.8 to this flaw and awarded a bug bounty to the researcher.
To mitigate potential risks, repository maintainers are advised to update to claude-code-action v1.0.94 or later. Additionally, it’s crucial to audit workflows that permit triggers from users without write access or from bot accounts. Ensuring that such workflows do not process untrusted input or expose sensitive information is essential. Limiting the permissions granted to the action and removing tools that could facilitate data exfiltration can further enhance security.
This incident highlights the broader challenges associated with integrating AI-driven tools into software development processes. While these tools offer significant efficiencies, they also introduce new attack vectors that can be exploited if not properly secured. The rapid response by Anthropic demonstrates the importance of proactive vulnerability management and the need for continuous monitoring and updating of third-party integrations to maintain a secure development environment.
