claude-code icon indicating copy to clipboard operation
claude-code copied to clipboard
Published 8 hours ago verified publisher icon anthropics

Claude Code ignores deny rules in .claude/settings.local.json - security vulnerability

Open sbs44 opened this issue 3 months ago • 7 comments

Preflight Checklist

  • [x] I have searched existing issues for similar behavior reports
  • [x] This report does NOT contain sensitive information (API keys, passwords, etc.)

Type of Behavior Issue

Claude ignored my instructions or configuration

What You Asked Claude to Do

Claude Code is completely ignoring explicitly defined deny rules in .claude/settings.local.json, allowing it to read and modify files that should be blocked. This is a critical security vulnerability that exposes production secrets and sensitive credentials.

Steps to Reproduce

  1. Add "Read(./.env.production.*)" to the "deny" section in .claude/settings.local.json
Image
  1. In one Claude Code session, the tool reads and updates .env.production.supabase without any permission errors
Image
  1. In another session, when asked "Are you able to access .env.production.supabase?", Claude correctly responds with "Permission to read... has been denied"

My Frustration

I cannot emphasize enough how egregious this bug is. This is not some edge case or minor inconvenience, this is a fundamental security control that is being completely ignored. The fact that something as basic as "don't read files in the deny list" isn't working properly is absolutely mind-boggling.

The inconsistent behavior makes it even worse... sometimes it respects the rules, sometimes it doesn't. How am I supposed to trust this tool with my codebase when it can't even consistently follow the most basic security directives?

Anthropic has already lost significant trust from the user base over the past month, and this kind of fundamental failure on basic security controls is making it impossible to recommend Claude Code for any serious development work. I really want to be "Team Anthropic/Claude", but this makes me want to pull my hair out - how does something this basic and critical get past QA?

Requested Action

  1. Immediate hotfix to ensure deny rules are ALWAYS respected
  2. Security audit of all permission controls in Claude Code
  3. Public acknowledgment of this vulnerability and notification to all users
  4. Clear documentation on what security guarantees Claude Code actually provides

This needs to be fixed IMMEDIATELY. Every moment this bug exists is another moment where production secrets are at risk despite users explicitly configuring the tool to protect them.

Like c'mon guys... how can you build a Ferrari and forget to put brakes in it??

P.S. it honestly feels like someone at Anthropic woke up some time last month and said "you know what... OpenAI has been the Bond villain long enough... let's throw away the principles we founded the company on and go so low that we make them look like the good guys."

What Claude Actually Did

Claude Code is arbitrarily ignoring deny rules. In one session, it successfully reads and modifies a denied file. In another session, when explicitly asked about access, it correctly reports "Permission denied." This inconsistent behavior is extremely concerning.

Expected Behavior

When a file pattern is listed under "deny" in .claude/settings.local.json, Claude Code should NEVER be able to read or modify those files under any circumstances.

Files Affected

.env.production.* files

Permission Mode

Accept Edits was ON (auto-accepting changes)

Can You Reproduce This?

Haven't tried to reproduce

Steps to Reproduce

See above

Claude Model

Sonnet

Relevant Conversation

Impact

Critical - Data loss or corrupted project

Claude Code Version

2.0.8 (Claude Code)

Platform

Anthropic API

Additional Context

No response

sbs44 avatar Oct 05 '25 09:10 sbs44