← Back
2026-05-27 20:48CVE-2026-45136GitHub_M
PUBLISHED5.2CWE-78CWE-94

claude-code-cache-fix: Local code execution via Python triple-quote injection in tools/quota-statusline.sh

claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude Code process. This vulnerability is fixed in 3.5.2.

Problem type

Affected products

cnighswonger

claude-code-cache-fix

>= 3.5.0, < 3.5.2 - AFFECTED

References

https://github.com/cnighswonger/claude-code-cache-fix/security/advisories/GHSA-g3xq-3gmv-qq8g

https://github.com/cnighswonger/claude-code-cache-fix/security/advisories/GHSA-g3xq-3gmv-qq8g

x_refsource_CONFIRM
https://github.com/cnighswonger/claude-code-cache-fix/issues/108

https://github.com/cnighswonger/claude-code-cache-fix/issues/108

x_refsource_MISC
https://github.com/cnighswonger/claude-code-cache-fix/pull/110

https://github.com/cnighswonger/claude-code-cache-fix/pull/110

x_refsource_MISC

GitHub Security Advisories

GHSA-g3xq-3gmv-qq8g

claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh

https://github.com/advisories/GHSA-g3xq-3gmv-qq8g

Summary

tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude Code process.

Affected versions

  • v3.5.0
  • v3.5.1

Patched versions

  • v3.5.2

Affected configurations

Users who wired tools/quota-statusline.sh into Claude Code's statusLine configuration. The v3.5.0 README explicitly recommends this setup, so most users on v3.5.0/v3.5.1 with the recommended setup are affected.

Attack chain

Claude Code's statusline hook payload reflects user-controlled paths (cwd, workspace.current_dir, workspace.project_dir, transcript_path). Apostrophes are legal in POSIX filesystem paths.

  1. A hostile directory name containing '''+payload+''' lands on disk via any normal vector — git clone, archive extraction, npm package, downloaded zip, etc.
  2. The victim has the recommended tools/quota-statusline.sh wired into their CC statusLine config.
  3. The victim cds anywhere a hostile path is reachable.
  4. CC fires the statusline hook on every redraw. The Python literal closes early. The injected bytes execute as Python in the user's process.

Severity

Local code execution at user privilege. Persistent re-fire on every statusline redraw. No user interaction beyond cd-ing into the hostile path. The user's shell, CC session, files, SSH keys, and any locally-accessible credentials are reachable from the executed code.

Vulnerable pattern

input=$(cat)
result=$(python3 -c "
    stdin_data = json.loads('''$input''') if '''$input''' else {}
")

Fix

Capture stdin in bash, export to env, and pipe the Python source through a single-quoted heredoc (<<'PYEOF'). Single-quoting disables ALL bash interpolation inside the body. Python reads the JSON via os.environ.get('CC_INPUT'), where the bytes are inert at every layer.

CC_INPUT=$(cat)
export CC_INPUT

python3 <<'PYEOF' 2>/dev/null
import os, json
try:
    cc_input = json.loads(os.environ.get('CC_INPUT') or '{}')
except Exception:
    cc_input = {}
# ...
PYEOF

Workarounds

Until upgrading to v3.5.2:

  • Disable the statusline by removing the statusLine entry from ~/.claude/settings.json, or
  • Replace tools/quota-statusline.sh with a script that does NOT pass stdin through python3 -c "..." (a heredoc + env var rewrite is safe)

Credit

Reported by Jakob Linke (@schuay) via GitHub issue #108.

Timeline

  • 2026-05-07 — reported (#108)
  • 2026-05-07 — confirmed, fix implemented (#110)
  • 2026-05-07 — v3.5.2 published
github.com

https://github.com/cnighswonger/claude-code-cache-fix/security/advisories/GHSA-g3xq-3gmv-qq8g

github.com

https://github.com/cnighswonger/claude-code-cache-fix/issues/108

github.com

https://github.com/cnighswonger/claude-code-cache-fix/pull/110

github.com

https://github.com/cnighswonger/claude-code-cache-fix/commit/613e4df30547f3e6baf32d161eddc828f171da17

github.com

https://github.com/advisories/GHSA-g3xq-3gmv-qq8g

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-45136
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-45136",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-05-27T20:48:22.312Z",
    "dateReserved": "2026-05-08T20:08:17.210Z",
    "datePublished": "2026-05-27T20:48:22.312Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-05-27T20:48:22.312Z"
      },
      "title": "claude-code-cache-fix: Local code execution via Python triple-quote injection in tools/quota-statusline.sh",
      "descriptions": [
        {
          "lang": "en",
          "value": "claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user's Claude Code process. This vulnerability is fixed in 3.5.2."
        }
      ],
      "affected": [
        {
          "vendor": "cnighswonger",
          "product": "claude-code-cache-fix",
          "versions": [
            {
              "version": ">= 3.5.0, < 3.5.2",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
              "cweId": "CWE-78",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')",
              "cweId": "CWE-94",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/cnighswonger/claude-code-cache-fix/security/advisories/GHSA-g3xq-3gmv-qq8g",
          "name": "https://github.com/cnighswonger/claude-code-cache-fix/security/advisories/GHSA-g3xq-3gmv-qq8g",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        },
        {
          "url": "https://github.com/cnighswonger/claude-code-cache-fix/issues/108",
          "name": "https://github.com/cnighswonger/claude-code-cache-fix/issues/108",
          "tags": [
            "x_refsource_MISC"
          ]
        },
        {
          "url": "https://github.com/cnighswonger/claude-code-cache-fix/pull/110",
          "name": "https://github.com/cnighswonger/claude-code-cache-fix/pull/110",
          "tags": [
            "x_refsource_MISC"
          ]
        }
      ],
      "metrics": [
        {}
      ]
    }
  }
}