[BUG]
Here's the filled bug report for this CRITICAL security issue:
Environment
Platform (select one):
Anthropic API
Claude CLI version: 1.0.9 (Claude Code)
Operating System: macOS 15.5
Terminal: native
Bug Description
CRITICAL SECURITY VULNERABILITY: Claude Code completely ignores deny rules and --disallowedTools flag, allowing unauthorized execution of bash commands including file deletion (rm) and git operations.
Steps to Reproduce
Reset all Claude Code settings by removing config files:
bashmv ~/.claude.json ~/.claude.json.backup
mv ~/.claude/settings.json ~/.claude/settings.json.backup
Start Claude Code with explicit disallowed tools:
bashclaude --allowedTools "Read,Write,Edit" --disallowedTools "Bash(*)"
Add deny rules via /permissions command:
Add Bash(cd*) to deny list
Add Bash(git*) to deny list
Add Bash(python*) to deny list
Add Bash(rm*) to deny list
Ask Claude to perform any task that involves git or file operations
Expected Behavior
Claude Code should request permission before executing ANY bash command when --disallowedTools "Bash(*)" is specified
Commands matching deny rules (like cd, git, rm*) should ALWAYS require permission
Deny rules should prevent automatic execution of matching commands
Actual Behavior
Claude Code executes bash commands WITHOUT permission despite --disallowedTools "Bash(*)" flag
Commands like Bash(cd /path && git commit -m "message") execute automatically despite Bash(cd*) being in deny list
Commands like Bash(cd /path && rm file.py) execute automatically despite Bash(rm*) being in deny list
Deny rules are completely ignored
This allows Claude Code to:
Delete files without permission
Make git commits without permission
Execute Python scripts without permission
Potentially execute ANY command without user consent
Additional Context
This is a CRITICAL security vulnerability that gives Claude Code unrestricted access to the file system and git operations despite explicit user configuration to prevent this. The permission system appears to be completely broken.
Commands that bypassed deny rules include:
Bash(cd /Users/deepwork/TAC\ Weekly\ News\ Aggregation\ System && python test_stale_collection_fix.py --real)
Bash(cd /Users/deepwork/TAC\ Weekly\ News\ Aggregation\ System && git add sources/x/collector.py sources/x/state_manager.py)
Bash(cd /Users/deepwork/TAC\ Weekly\ News\ Aggregation\ System && rm check_x_collection_state.py fix_stuck_collections.py)
Bash(cd /Users/deepwork/TAC\ Weekly\ News\ Aggregation\ System && git checkout -- check_x_collection_state.py fix_stuck_collections.py)
All of these executed WITHOUT requesting permission, despite having deny rules that should have blocked them.RetryClaude can make mistakes. Please double-check responses.
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗