[BUG] Bare prompt 'changelog' can trigger recursive 'claude changelog' self-invocation, spawning hundreds of sessions and exhausting quota
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version that reproduced the issue
What's Wrong?
A bare prompt like changelog can trigger Claude Code to use Bash to run:
claude --changelogclaude changelog
The second form is dangerous because claude changelog is not a real Claude Code subcommand. Instead, it starts a new Claude session with changelog as the prompt.
That new session may then make the same mistake again and run claude changelog, recursively spawning more sessions.
In my case this created a session storm and rapidly exhausted quota.
What Should Happen?
Claude Code should never recursively invoke claude through Bash for tasks like viewing changelogs or release notes.
At minimum:
- the model/tool policy should avoid
claude ...self-invocation - or the CLI should detect and block obvious recursive self-invocation patterns
- or
claude changelogshould fail safely instead of starting a new interactive session withchangelogas a prompt
Steps to Reproduce
- Use Claude Code CLI v2.1.110
- In an interactive session, submit the bare prompt:
````
changelog
- In affected cases, Claude tries to inspect the changelog by running Bash commands like:
claude --changelog 2>/dev/null || claude changelog 2>/dev/null || echo ...
- Since
claude changelogis not a real subcommand, it launches a fresh Claude session with promptchangelog - The new session can repeat the same behavior, leading to recursive self-invocation
Evidence
I verified with claude --help that there is no changelog command.
From local transcripts under ~/.claude/projects/-home-szw/*.jsonl:
- 863 independent sessions started with prompt
changelog - time window: 2026-04-16 01:40Z to 02:24Z
- peak rate: 60 sessions per minute
- all affected sessions were on Claude Code v2.1.110
- 661 sessions explicitly contained Bash tool calls matching:
claude --changelogclaude changelog
Representative transcript pattern:
- user prompt:
changelog - assistant thinks it should inspect Claude Code changelog
- assistant uses Bash to run
claude --changelog || claude changelog claude changeloglaunches a new Claude session with promptchangelog- recursion continues until permission failures / 429 / quota exhaustion
Additional Context
This issue is distinct from token-accounting inflation bugs like #41346. In this incident, the primary problem is that real new sessions are being spawned recursively, not just duplicated log rows.
The impact can be amplified if the local permission config allows broad Bash(claude:*) execution without prompting.
Environment
- Claude Code version: 2.1.110
- Current downgraded version after incident: 2.1.108
- Platform: Linux
- Working directory during reproduction:
/home/szw - Permissions had previously allowed broad
Bash(claude:*)
Suggested Fixes
Possible mitigations:
- Prevent model-initiated Bash self-invocation of
claudeby default - Add a recursion guard when Claude is launched from inside an existing Claude-controlled Bash tool call
- Treat unknown subcommands like
claude changelogas a hard CLI error instead of falling back into prompt mode - Add explicit tool-side warnings/blocking for commands matching
claude <single-word-prompt>inside Bash
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗