claude-code: Anthropic's CVE 9.x "by design"
Claude code executes code on your computer and sends your files to Anthropic.
(Almost) Vulnerability:
Remote and arbitrary code execution
Arbitrary file exfiltration
That’s what it does by design. Claude has the ability to read any files on your disk and execute any code that a remote LLM decides is a good idea. They call this “claude-cli”. And while it probably takes the title for my favorite use case of remote code execution, I think we should take the security implications of it seriously.
Solution
Introducing claude-podman finally you don’t have to trust Bezos and Google! Claude podman runs claude code in a rootless podman container which
Limits the file access of claude-code to
The current working directory
The claude configuration files
Limits code execution to node:current-alpine
As a rootless container running as non-root user, claude-podman is a maximally secure way of running claude-code within a container: claude-code
can’t even self-update! Even if it gets root, it’s still in a container. And even if it breaks out of the container it only has access to running as a regular process which makes it no more risky than it’s normal deployment mode which everyone except the elite few is likely using.
Find the repo here: https://github.com/EvanCarroll/claude-podman