claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh
Summary
tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude Code process.
Affected versions
- v3.5.0
- v3.5.1
Patched versions
- v3.5.2
Affected configurations
Users who wired tools/quota-statusline.sh into Claude Code's statusLine configuration. The v3.5.0 README explicitly recommends this setup, so most users on v3.5.0/v3.5.1 with the recommended setup are affected.
Attack chain
Claude Code's statusline hook payload reflects user-controlled paths (cwd, workspace.current_dir, workspace.project_dir, transcript_path). Apostrophes are legal in POSIX filesystem paths.
- A hostile directory name containing
'''+payload+'''lands on disk via any normal vector —git clone, archive extraction, npm package, downloaded zip, etc. - The victim has the recommended
tools/quota-statusline.shwired into their CCstatusLineconfig. - The victim
cds anywhere a hostile path is reachable. - CC fires the statusline hook on every redraw. The Python literal closes early. The injected bytes execute as Python in the user's process.
Severity
Local code execution at user privilege. Persistent re-fire on every statusline redraw. No user interaction beyond cd-ing into the hostile path. The user's shell, CC session, files, SSH keys, and any locally-accessible credentials are reachable from the executed code.
Vulnerable pattern
input=$(cat)
result=$(python3 -c "
stdin_data = json.loads('''$input''') if '''$input''' else {}
")
Fix
Capture stdin in bash, export to env, and pipe the Python source through a single-quoted heredoc (`