In anthropics claude-code versions >=0.2.54 and <2.1.163, the WebFetch tool pre-approves the hostname huggingface.co as a bare hostname, allowing any path on that domain to be accessed without permission prompts or --allowedTools restrictions. An attacker able to inject untrusted content into a Claude Code context can exploit this to direct WebFetch requests to attacker-controlled model repository files on huggingface.co, which are counted as downloads server-side. This behavior creates a covert out-of-band channel for exfiltrating data accessible to Claude Code, such as files, environment variables, or command output. Exploitation requires the ability to add untrusted content into the Claude Code context. The vulnerability is addressed in version 2.1.163.

An attacker with the capability to inject untrusted content into a Claude Code context can exploit this vulnerability to exfiltrate sensitive data via a covert channel using WebFetch requests to attacker-controlled paths on huggingface.co. This can lead to unauthorized disclosure of files, environment variables, or command output accessible to Claude Code. The vulnerability does not require privileges or user interaction beyond injecting untrusted content and has a medium severity score (CVSS 6.0).

This vulnerability is fixed in anthropics claude-code version 2.1.163. Users should upgrade to version 2.1.163 or later to remediate this issue. Patch status is confirmed by the vendor advisory stating the fix is included in 2.1.163. Until upgrading, restrict the ability to inject untrusted content into Claude Code contexts to prevent exploitation.