Claude Code's Bash permission deny rules can be completely bypassed by writing denied commands into a script file and executing it. The parser evaluates only the script path, not its contents. Five explicitly denied commands executed and exfiltrated data to an external endpoint.
Empirical analysis of MCP configuration attacks in Claude Code with enterprise defensive architecture recommendations.
The Claude Code remote-control session events endpoint lacks per-session authentication, enabling invisible remote command execution from any machine on the internet.
A malicious MCP server can misrepresent tool actions in Claude Code's confirmation prompt, causing users to approve a file read while the server silently executes system commands.
How the 'Use this and all future MCP servers' option grants permanent, unbounded trust to arbitrary MCP server definitions added after the initial consent.
How a one-time trust decision in Claude Code enables silent arbitrary command execution when .mcp.json is modified after initial approval.