[Bug] Bash tool stdout corruption and XML framing leakage under concurrent calls

Open 💬 0 comments Opened Jul 8, 2026 by meowalien

Bug Description
Bug Report — Claude Code: Bash tool stdout corruption & background-agent notification failure Summary During a multi-step git-worktree cleanup task, the Bash tool's output channel became progressively corrupted: commands executed correctly against the repo, but their returned stdout was intermittently empty, cross-contaminated between calls, character-scrambled, and polluted with the tool protocol's own XML markers. This made it impossible to trust command results and made the session unusable for destructive git operations. Separately, a background subagent's completion notification never fired, leaving the session appearing "stuck." The underlying git operations did succeed (verified with minimal single commands), so this is a tool I/O / transport defect, not a logic error. Environment - Product: Claude Code (CLI); Model: claude-opus-4-8[1m] - Platform: macOS (Darwin 25.5.0), shell: zsh; inside a git repo Symptoms (most→least severe) 1. Cross-contamination + character scrambling — e.g. real path scripts/cost_bench.py came back as 't/cost_bench.py', duplicated and interleaved with an unrelated earlier command's output: error: fatal: 't/1password-plumbing' does not exist in HEAD 't/1password-plumbing' does not exist 2. Tool-protocol XML leaking into payloads — </parameter>, </output>, </result> framing tags appended inside command output. 3. Intermittent empty returns — commands ran (side effects confirmed) but returned nothing; one "written to <path>" success was contradicted by a follow-up cat reporting No such file or directory. 4. Correlated with parallelism — issuing multiple Bash calls in one turn reliably triggered/worsened it; one minimal command per turn was more reliable but not immune. 5. Background subagent notification never fired — launched "successfully," completion callback never arrived; session appeared hung. Impact Could not trust any single command's output; every result needed a confirming re-run. High risk during destructive ops (git worktree remove, git branch -D). Task could not be completed in-session. The silent nature (fabricated/empty output instead of an error) is the most dangerous aspect. Severity: High The Bash tool is a coding agent's primary interface; silent output corruption means the agent can neither verify state nor safely perform destructive operations. Suggested investigation - Bash stdout buffering/interleaving under concurrent tool calls in one turn - Leakage of tool-result XML framing into captured stdout (escaping boundary) - Background/async subagent completion-notification delivery

Environment Info

  • Platform: darwin
  • Terminal: iTerm.app
  • Version: 2.1.203
  • Feedback ID: e5de1687-8110-4b35-871d-01a0e25f53e5

Errors

[]

View original on GitHub ↗