Security: Predictable temp file names in /tmp vulnerable to symlink attacks

Resolved 💬 4 comments Opened Dec 15, 2025 by adereis Closed Feb 28, 2026

Summary

Claude Code creates temporary files with predictable names in global temporary directories (e.g., /tmp). This is vulnerable to symlink attacks (TOCTOU race conditions), a well-known class of security vulnerabilities.

The Attack

  1. Attacker predicts the filename Claude Code will create (e.g., /tmp/claude-export.csv)
  2. Attacker pre-creates a symlink: /tmp/claude-export.csv~/.ssh/authorized_keys
  3. Claude Code writes to what it believes is a temp file
  4. The symlink target is overwritten instead, leading to privilege escalation or data corruption

This is especially concerning in multi-user systems or shared environments.

Recommended Mitigations

  1. Use unpredictable filenames: Use mktemp or equivalent with random suffixes
  2. Use private directories: Prefer $XDG_RUNTIME_DIR (user-private, tmpfs-backed), or fall back to $TMPDIR / ~/tmp
  3. Use safe file creation flags: O_EXCL | O_NOFOLLOW to fail if file exists or is a symlink
  4. Set restrictive permissions: 0600 for files, 0700 for directories

References

Current Workaround

Users can instruct Claude Code to use ~/tmp instead of /tmp via CLAUDE.md, but this relies on user awareness and doesn't address the predictable filename issue.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗