Security vulnerabilitty found in axios. Is claude code affected?
Original security report: https://github.com/axios/axios/issues/10604
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
https://github.com/axios/axios/issues/10611
Trojan exploit currently being uncovered at the axios repo. From quick inspection of files from npm and issues on this repo it seems that axios might be used here.
Could you clarify if axios is used in claude-code and if yes, which version? Is claude-code affected?
Check performed:
cd /tmp
npm pack @anthropic-ai/claude-code
tar xzf anthropic-ai-claude-code-*.tgz
grep -r "axios" package/ --include="*.js" -l
output:
npm notice
npm notice 📦 @anthropic-ai/claude-code@2.1.87
npm notice Tarball Contents
npm notice 147B LICENSE.md
npm notice 2.0kB README.md
npm notice 596B bun.lock
npm notice 13.0MB cli.js
npm notice 1.2kB package.json
npm notice 116.9kB sdk-tools.d.ts
npm notice 439.1kB vendor/audio-capture/arm64-darwin/audio-capture.node
npm notice 458.8kB vendor/audio-capture/arm64-linux/audio-capture.node
npm notice 447.5kB vendor/audio-capture/arm64-win32/audio-capture.node
npm notice 431.3kB vendor/audio-capture/x64-darwin/audio-capture.node
npm notice 494.5kB vendor/audio-capture/x64-linux/audio-capture.node
npm notice 492.5kB vendor/audio-capture/x64-win32/audio-capture.node
npm notice 4.4MB vendor/ripgrep/arm64-darwin/rg
npm notice 5.2MB vendor/ripgrep/arm64-linux/rg
npm notice 3.9MB vendor/ripgrep/arm64-win32/rg.exe
npm notice 126B vendor/ripgrep/COPYING
npm notice 5.2MB vendor/ripgrep/x64-darwin/rg
npm notice 6.6MB vendor/ripgrep/x64-linux/rg
npm notice 5.4MB vendor/ripgrep/x64-win32/rg.exe
npm notice Tarball Details
npm notice name: @anthropic-ai/claude-code
npm notice version: 2.1.87
npm notice filename: anthropic-ai-claude-code-2.1.87.tgz
npm notice package size: 17.4 MB
npm notice unpacked size: 46.6 MB
npm notice shasum: 7727a2e69353a24eb9adf89b6134fd207c086a2a
npm notice integrity: sha512-R40p85lv270Ms[...]t5CDw++tKZD0g==
npm notice total files: 19
npm notice
anthropic-ai-claude-code-2.1.87.tgz
package/cli.js
What Should Happen?
Clarify if axios is being used here. And if any of the claude-code versions are effected by the exploit
https://github.com/axios/axios/issues/10611
Error Messages/Logs
Steps to Reproduce
Provided checks i pervormed above
Claude Model
None
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
unknown
Platform
Anthropic API
Operating System
Other
Terminal/Shell
Other
Additional Information
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗