Known Bugs and Regressions
Documented issues in claude-code discovered through community analysis and the source leak.
CVE Cluster
| CVE | CVSS | Mechanism | Fixed |
|---|---|---|---|
| CVE-2025-59536 | 8.7 | Pre-trust hook execution — RCE before trust dialog | v1.0.111 |
| CVE-2026-21852 | 5.3 | ANTHROPIC_BASE_URL redirect exfiltrates API key |
v2.0.65 |
| CVE-2025-54795 | 8.7 | Confirmation prompt bypass via prompt crafting | v1.0.20 |
| Adversa deny-cap | TBD | 50-subcommand overflow in bash-security | v2.1.90 |
| CVE-2026-35020/21/22 | TBD | Command injection in which.ts, promptEditor.ts, auth.ts | Unpatched |
Cache Bug Catalogue (B1-B6)
| Bug | Description | Status |
|---|---|---|
| B1-B3 | Cache prefix invalidation bugs | Fixed in v2.1.91 |
| B4 | Synthetic entry injection — 151+ fake entries from background tasks | Open |
| B5 | Cache alignment bug | Fixed in v2.1.91 |
| B6 | Zero-reasoning budget — adaptive thinking set high but individual turns get 0 tokens | Fixed in v2.1.94 |
v2.1.91 was the most important stability release. v2.1.94 changed default effort from medium to high.
Performance Issues
- 150K compaction threshold: Hardcoded at 150K tokens; at 1M context, triggers at 15% utilization. See compaction-pipeline.
- Autocompact death loop: 1,279 sessions had 50+ consecutive failures, wasting ~250K API calls/day globally. Circuit breaker added after.
- Resume cache tax:
--resumecreates triple cache-prefix discrepancy, causing 10-20x cost since v2.1.69. See cache-economics. - Silent model downgrade: After 3 HTTP 529 errors, Opus silently falls back to Sonnet without notification.
- extractMemories token doubler: Fire-and-forget Opus call per turn doubles effective token consumption (26M vs 13M).
Quality Regression (Feb-March 2026)
Quantified by Stella Laurenzo investigation (17,871 thinking blocks, 234,760 tool calls): - Median thinking depth collapsed 67-75% (2,200 → 560-720 chars) - Read:Edit ratio collapsed from 6.6:1 to 2.0:1 - Full rewrites doubled (4.9% → 10-11%) - User vocabulary shifted: "simplest" +642%, "stop" +87%, "great" -47% - Cost exploded 122x despite same user prompt volume
Three Streaming Hang Bugs
Cascading watchdog bugs: (1) armed after dangerous phase, (2) targets undefined objects, (3) fallback fires in wrong phase. Kolkov analysis: 16.3% API failure rate, 5.4% orphaned tool calls.
cch=00000 Bug
native-attestation sentinel string replacement corrupts message content when discussing billing, causing 10-20x token consumption per request.