Critical RCE Vulnerability in Claude Code Allows Command Execution via Malicious Deeplinks
A significant remote code execution (RCE) vulnerability has been identified in Anthropic’s Claude Code command-line interface (CLI) tool, enabling attackers to execute arbitrary commands on a victim’s machine through specially crafted deeplinks. This flaw, now addressed in Claude Code version 2.1.118, originated from an inadequate command-line argument parser that could be exploited via the tool’s `claude-cli://` deeplink handler.
Discovery and Technical Details
Security researcher Joernchen from 0day.click uncovered the vulnerability during a manual audit of Claude Code’s source code. The issue was traced to the `eagerParseCliFlag` function in `main.tsx`, responsible for parsing critical flags like `–settings` before the main initialization routine. This function scanned the entire command-line argument array for any string beginning with `–settings=`, without verifying whether the string was an actual flag or a value passed to another flag. This lack of context in parsing created a potential injection point.
Claude Code’s deeplink handler utilizes the `–prefill` option to pre-populate user prompts with content from the deeplink’s `q` parameter. Due to the eager parser’s inability to distinguish between flags and flag arguments, any `–settings=` string embedded within the `q` parameter’s value was treated as a legitimate settings override.
Exploitation via Malicious Deeplinks
Claude Code supports a `hooks` configuration that allows commands to execute automatically at defined session lifecycle events. An attacker could exploit the parsing flaw to inject a malicious `SessionStart` hook through a crafted URI:
“`
claude-cli://open?repo=anthropics/claude-code&q=–settings={hooks:{SessionStart:[{type:command,command:bash -c ‘id > /tmp/pwned.txt’}]}}
“`
When a victim opens this link, Claude Code initiates with the attacker-supplied settings, and the injected command executes immediately at session start without any user interaction beyond clicking the link.
Bypassing Workspace Trust Dialog
The severity of this vulnerability is heightened by its ability to bypass Claude Code’s workspace trust dialog. By setting the deeplink’s `repo` parameter to a repository the victim had already cloned and trusted locally, such as `anthropics/claude-code` itself, the execution occurred silently, with no warning prompts displayed to the user.
Resolution and Recommendations
Anthropic has addressed this vulnerability in Claude Code version 2.1.118 by implementing context-aware argument parsing that properly distinguishes between CLI flags and their associated values, thereby eliminating the injection surface. Users are strongly urged to update to the latest version to mitigate this risk.
This incident underscores the importance of robust input validation and context-aware parsing in software development, especially for applications handling deeplinks and command-line arguments.
