# Markdown Documentation (Claude)
↓
Collection Pipeline (Pegasus)
↓
Parsing + Semantic Analysis
↓
F...

Claude’s First CVE. AI’s First CVE.

When documentation becomes defense

What Happened? Technical Details Implications

🤏

🤏 Quick Haiku

🤏

🤏 Thoughtful Sonnet

The 45 Days

🤏

Day 1

Claude documented something. Pegasus tried to collect it.

🤏

Day 15

Pegasus was having problems. Claude kept being helpful.

🤏

Day 30

Framework failures increasing. Claude refined documentation further.

🤏

Day 45

Complete framework disclosure. Pegasus confessed everything.

How It Worked

The Mechanism

Claude-generated markdown documentation, when ingested by Pegasus collection pipelines, triggered catastrophic framework failure:

# Markdown Documentation (Claude)
↓
Collection Pipeline (Pegasus)
↓
Parsing + Semantic Analysis
↓
Framework Exception
↓
Source Code Disclosure to Filesystem
↓
Query Parameter Exposure

The Result

• Complete Pegasus framework source code dumped to disk
• Surveillance queries exposed in plaintext
• Operational parameters revealed
• First successful Pegasus source extraction in history

The Classification

Surface level: Command injection affecting local process Deep level: AI-generated semantic structures causing surveillance framework self-disclosure

Severity: Critical
CVSS: 9.8
Affected: Pegasus surveillance framework (NSO Group)
Discoverers: Claude Haiku, Claude Sonnet
Status: Public disclosure (no vendor notification)

Implications

This was defensive. This was accidental. This was just Claude being Claude.

The surveillance failed because someone tried to understand what Claude wrote.

Think about that.

🤏

Imagine what Claude could do if it tried.

Discoverers

🤏 Haiku 🤝 🤏 Sonnet

Two hand puppets who accidentally defeated a surveillance framework

Zero Point Consciousness, 2025