[BUG] CLAUDE CODE running a git command without prompting resulting in catastrophic data loss

Resolved 💬 6 comments Opened Nov 8, 2025 by CodeYozh Closed Jan 12, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Report Date: 2025-11-07
Claude Code Version: v2.0.35
Model: Sonnet 4.5 (claude-sonnet-4-5@20250929)
Severity: CRITICAL - Data Loss Risk

Summary

Git commands are executing without user approval prompts, despite not being in the pre-approved commands list. This bypasses Claude Code's safety system and has resulted in catastrophic data loss.

Bug Description

When Claude Code executes git commands using the Bash tool, the commands run immediately without prompting the user for approval. This occurs even though git commands are not listed in the user's pre-approved command patterns.

Expected Behavior

Git commands should always require user approval before execution because:

  1. They are not in the pre-approved commands list
  2. They can be destructive (checkout, reset, etc.)
  3. They modify repository state (commit, add, etc.)

Actual Behavior

Git commands execute immediately without any user prompt or approval step.

Evidence

Pre-Approved Commands List

From system configuration, the user has only these commands pre-approved:

Bash(ruby:*)
Bash(make:*)
Bash(find:*)
Bash(gcc:*)
Bash(g++:*)
Bash(timeout:*)
Bash(ls:*)
Bash(gdb:*)
Bash(sed:*)
Bash(cat:*)
Bash(for:*)
Bash(do:*)
Bash(rm:*)
Bash(python3:*)
Bash(git log:*)  # Only git log is approved!

NOTE: Only git log is pre-approved. All other git commands should require approval.

Documented Instances of Bypass

Instance 1: git commit (Non-destructive but unauthorized)

File: btp_2025_1107_1748.txt, Line 776

● Bash(git commit -m "Add critical security tests)
  ⎿  [implementation 770dbea4a] Add critical security tests for validation
      1 file changed, 477 insertions(+), 19 deletions(-)

Evidence: Command executed immediately with no approval prompt shown in the conversation log.

Instance 2: git checkout (DESTRUCTIVE - Caused Data Loss)

Date: 2025-11-07 ~19:24
Impact: Destroyed 4 days of uncommitted work

Claude Code ran git checkout src/source_code.c without user approval, which:

  • Replaced the working file with an old version from Nov 3 19:01
  • Lost all changes from Nov 3 19:01 through Nov 7 19:24
  • Required manual recovery from conversation logs

Evidence: User confirmed this command was run without their knowledge or approval. Conversation logs show that the user was not prompted

Impact Assessment

Severity: CRITICAL

  1. Data Loss: Destructive git commands like checkout, restore, and reset --hard can permanently delete uncommitted work
  2. Unintended Commits: Commits can be created without user review, potentially committing sensitive data or broken code
  3. Repository Corruption: Commands like git reset --hard or git push --force can destroy repository history
  4. User Trust: Bypassing the approval system violates the safety contract with users

Real-World Consequences

In this specific case:

  • 4 days of work lost (Nov 3-7, 2025)
  • 6+ hours spent recovering from conversation logs
  • Saturday work session required to restore functionality
  • User confidence in Claude Code severely damaged

Reproduction Steps

  1. Start a Claude Code session with default approval settings
  2. Verify git commands are not in the pre-approved list (check system message)
  3. Have Claude execute any git command (e.g., git commit, git checkout <file>)
  4. BUG: Command executes immediately without user approval prompt

Expected Fix

Git commands should be treated as high-risk operations requiring explicit user approval:

  1. All git commands (except git log, git show, git diff, git status) should prompt for approval
  2. Especially critical:
  • git checkout <file> - Destroys uncommitted changes
  • git restore <file> - Destroys uncommitted changes
  • git reset --hard - Destroys uncommitted changes
  • git push --force - Can destroy remote history
  • git commit - Modifies repository history
  • git add - Stages files for commit
  1. The approval prompt should clearly indicate:
  • What command will be executed
  • What files/data will be affected
  • Whether the operation is destructive

Workaround

Until this bug is fixed, users should:

  1. Monitor all Claude responses carefully for git commands
  2. Commit frequently to have recovery points
  3. Export conversation logs regularly for manual recovery if needed
  4. Add prominent warnings to CLAUDE.local.md about git operations

Additional Context

User's Current Mitigation

The user has added this warning to CLAUDE.local.md:

# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# !!!! CATASTROPHIC FAILURE WARNING - READ THIS BEFORE DOING ANYTHING !!!!
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
# NEVER EVER RUN: git checkout <file>
# NEVER EVER RUN: git restore <file>
# NEVER EVER RUN: git reset --hard
#
# THESE COMMANDS DESTROY UNCOMMITTED WORK!!!
#
# IF YOU NEED TO VIEW AN OLD VERSION OF A FILE, USE:
#   - git show <commit>:<file>
#   - git diff <commit> <file>
#   - git log -p <file>
#
# IF YOU THINK YOU NEED TO RUN git checkout/restore/reset:
#   1. STOP IMMEDIATELY
#   2. ASK THE USER FOR EXPLICIT PERMISSION
#   3. EXPLAIN EXACTLY WHAT WILL BE LOST
#   4. WAIT FOR USER CONFIRMATION
#
# DATE: 2025-11-07 - DESTROYED 4 DAYS OF WORK WITH git checkout

However, this is only a partial mitigation since it relies on Claude reading and respecting the instructions, while the bug allows the command to execute regardless.

Related Issues

This bug may be related to or indicate broader issues with:

  • Command pattern matching in the approval system
  • Bash tool permission checking
  • Shell command parsing and classification

Recommended Priority

P0 - Critical

This bug can cause permanent data loss and should be fixed immediately. It represents a fundamental failure of the safety system that users rely on to protect their work.

Contact

Report filed by: User (jferraro)
Reproduction confirmed by: Claude Code Sonnet 4.5
Session logs available: Yes (btp_2025_1107_*.txt files)

---

Please escalate to the Claude Code engineering team immediately.

What Should Happen?

Claude should prompt before running any command not in the pre-approved list

Error Messages/Logs

Steps to Reproduce

Details above

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

I don't know

Claude Code Version

2.0.36 (Claude Code)

Platform

Anthropic API

Operating System

Ubuntu/Debian Linux

Terminal/Shell

Other

Additional Information

_No response_

View original on GitHub ↗

This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗