Claude Code: Insecure Temporary File in /copy Command Enables Response Disclosure and Symlink-Based File Write
Claude Code is an agentic coding tool. From 2.1.59 until 2.1.128, the Claude Code /copy command wrote responses to a hardcoded, predictable path (/tmp/claude/response.md) without UID isolation, randomness, or symlink protection. The file was created world-readable (0644) in a world-traversable directory (0755), allowing any local user to read a privileged user's Claude response, which could contain secrets or credentials. Additionally, because the path was static and predictable, a local attacker could pre-create the directory and plant a symlink at the expected file path, causing the privileged process to follow the symlink and overwrite an attacker-chosen file with the response text. Exploiting this required a local unprivileged user on the same system and a privileged user to run the /copy command. This vulnerability is fixed in 2.1.128.
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-59 | CWE-59: Improper Link Resolution Before File Access ('Link Following') |
| CWE | CWE-200 | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
| CWE | CWE-377 | CWE-377: Insecure Temporary File |
Type: CWE
Description: CWE-59: Improper Link Resolution Before File Access ('Link Following')
Type: CWE
Description: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Type: CWE
Description: CWE-377: Insecure Temporary File
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 4.0 | 4.4 | MEDIUM | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N |
Version: 4.0
Base score: 4.4
Base severity: MEDIUM
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N