A flaw in the cache optimization proxy for Claude Code, captured in the tools/quota-statusline.sh script added in version 3.5.0, allows an attacker who can supply data to the hook stdin payload to terminate a Python triple‑quoted string literal prematurely. This exposes the remaining payload to execution as valid Python code under the user’s Claude Code process. The result is arbitrary code execution in the context of the user, potentially allowing the attacker to read or modify confidential data, alter the user environment, or disrupt normal operation of the Claude Code tool.

The vulnerability exists in the claude-code-cache-fix project, specifically versions from 3.5.0 up to and including 3.5.1. The affected script is tools/quota-statusline.sh; any deployment of the repository in those releases is impacted until the fix is applied in version 3.5.2.

The CVSS score of 8.6 indicates a high severity situation. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploitation yet. The attack requires the attacker to provide data to the hook stdin payload, so the vector is local and depends on the ability to influence that input. Once successfully exploited, the attacker could execute arbitrary Python code within the user’s Claude Code process, leading to serious confidentiality and integrity risks for that user’s data and system.