LSP which Fallback Injection

• Entity ID: ent-20260419-3ec24c9b6dc1
• Type: issue
• Scope: shared
• Status: active
• Aliases: second CWE-78 sink, POSIX which fallback vuln

Description

Second command injection (CWE-78) independently patched in v2.1.101/v2.1.105. The POSIX 'which' fallback used by LSP binary detection interpolated unsanitized input. Discovered by the source map community after the Phoenix disclosure.

Key claims

• Second CWE-78 sink patched in v2.1.101/v2.1.105 (LSP which fallback)

Relations

• LSP which Fallback Injection --[fixed]--> Claude Code v2.1.105

Sources

src-20260419-cfed81b8d6a5