Skip to main content
Application Security Standards
Security Fix Exists, But Your Users Are Still VulnerableIncident
4 min readFor Compliance Teams

Security Fix Exists, But Your Users Are Still Vulnerable

What Happened

Adversa discovered a vulnerability in Claude Code that allows attackers to bypass security controls by submitting more than 50 subcommands in a single request. When the system encounters this volume of commands, it skips its compute-intensive security analysis entirely—the digital equivalent of a guard turning off metal detectors because the line is too long.

Anthropic developed a fix: a tree-sitter parser that properly handles high-volume command inputs. The fix exists in their codebase. It's tested. It works. However, it is not enabled in the public builds your teams are using.

Timeline

The exact discovery and disclosure dates aren't public, but the sequence matters more than the timestamps:

  1. Adversa identified the 50-subcommand bypass technique.
  2. Anthropic was notified and developed the tree-sitter parser fix.
  3. The fix was validated internally.
  4. Public builds continue shipping without the fix enabled.

This isn't a zero-day that caught everyone off guard. This is a known vulnerability with a known solution that remains exploitable in production.

Which Controls Failed or Were Missing

Vulnerability Management Process

The breakdown isn't technical—it's operational. Anthropic has the code to prevent this attack. The failure is in the deployment pipeline between "fix validated" and "fix protecting users."

This represents a gap in:

  • Release management procedures
  • Security patch prioritization
  • Production deployment controls
  • Rollout verification

Configuration Management

The tree-sitter parser exists but isn't active. This is a configuration state problem. Someone—or some process—needs to flip the switch, and it hasn't happened.

This points to missing controls around:

  • Feature flag management for security components
  • Default-secure configuration enforcement
  • Post-deployment verification that security features are active

Change Control

There's no evidence of a deliberate decision to delay the fix. That suggests the change control process doesn't have adequate guardrails to escalate security-critical changes through the deployment pipeline.

What the Relevant Standards Require

PCI DSS v4.0.1 Requirement 6.3.2

"Security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs)."

Once you know about a vulnerability—especially one with a ready fix—you're required to track it and remediate it according to your risk assessment. Leaving a fix disabled in production would fail most audit interpretations of timely remediation.

PCI DSS v4.0.1 Requirement 6.3.3

"An inventory of bespoke and custom software, and third-party software components incorporated into bespoke and custom software is maintained to facilitate vulnerability and patch management."

You need to know what version of Claude Code you're running and whether security features are enabled. If the tree-sitter parser is a component that exists but isn't active, your inventory should reflect that gap.

ISO/IEC 27001:2022 Control 8.8 (Management of Technical Vulnerabilities)

"Information about technical vulnerabilities of information systems in use shall be obtained, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken."

Having a fix available but not deployed doesn't meet the "appropriate measures taken" threshold. The control requires action, not just awareness.

NIST 800-53 Rev 5 SI-2 (Flaw Remediation)

"The organization identifies, reports, and corrects information system flaws" and "installs security-relevant software and firmware updates within the time period specified in the organizational policy."

The key phrase: "installs...within the time period specified." If your policy says critical fixes go out within 30 days, and you're sitting on a completed fix, you're non-compliant with your own policy.

Lessons and Action Items for Your Team

1. Audit Your Vendor Security Update Process

Don't assume that because a vendor has released a security fix, it's active in the version you're using. Specifically:

  • Review release notes for security patches and verify they're enabled by default.
  • Check configuration documentation for security features that require manual activation.
  • Test in a non-production environment that security controls are actually functioning.
  • Document which security features are optional vs. default-on.

2. Build a "Fix Available But Not Deployed" Detection System

Create a process to identify this exact scenario:

  • Track vendor security advisories against your deployed versions.
  • Flag cases where a fix exists but isn't in your running code.
  • Escalate gaps to your change advisory board within 48 hours.
  • Set SLAs for deploying available fixes based on severity.

3. Implement Post-Deployment Security Verification

After every deployment of third-party code:

  • Run automated tests that verify security controls are active.
  • Don't just check version numbers—test that protective features respond correctly.
  • Document the expected security behavior and alert on deviations.
  • Include security feature verification in your deployment acceptance criteria.

4. Establish a Security Feature Registry

For every third-party component:

  • List which security features exist.
  • Document whether each is enabled by default or requires configuration.
  • Track the status in your environment (enabled/disabled/not applicable).
  • Review quarterly and after every version upgrade.

5. Revise Your Vendor Risk Assessment Questions

Add these to your vendor security questionnaires:

  • "Do your security fixes require manual enablement after deployment?"
  • "What is your process for ensuring security patches are active in production builds?"
  • "How do you communicate when a fix exists but isn't enabled by default?"
  • "What verification can you provide that security features are active in our environment?"

6. Create an Escalation Path for "Fix Exists, Not Deployed" Scenarios

This situation should trigger immediate action:

  • Classify it as a critical finding regardless of the underlying vulnerability severity.
  • Require executive approval to defer deployment beyond 7 days.
  • Document the business justification for any delay.
  • Re-assess risk weekly until deployed.

The Claude Code situation exposes a blind spot in most vulnerability management programs: you're tracking whether patches exist and whether you've applied them, but you're not systematically checking whether applied patches are actually active. That gap is where attackers live.

CVE Details

Topics:Incident

You Might Also Like

When Identity Verification Failed Against AI Agents: A Post-Mortem
4 min readFor Security Engineers

When Identity Verification Failed Against AI Agents: A Post-Mortem

What Happened In the past 18 months, organizations using AI systems have faced security failures that traditional identity-based controls couldn t stop. While no single breach stands out, the overall

Read
Ruby Gems and Go Modules Turned Weapons: BufferZoneCorp Attack Breakdown
4 min readFor Security Engineers

Ruby Gems and Go Modules Turned Weapons: BufferZoneCorp Attack Breakdown

A coordinated supply chain attack using poisoned Ruby gems and Go modules has exposed how attackers now target the seams between your package managers and CI/CD pipelines. The campaign, attributed to

Read
36 Hours: A SQL Injection Flaw Goes From Disclosure to Active Exploitation
4 min readFor Security Engineers

36 Hours: A SQL Injection Flaw Goes From Disclosure to Active Exploitation

What Happened In early 2026, security researchers disclosed CVE-2026-42208 , a critical SQL injection vulnerability in LiteLLM, a widely-used open-source AI Gateway. This flaw has a CVSS score of 9.3,

Read