Critical RCE Vulnerability in Claude Code Allows Command Execution via Malicious Deeplinks
A significant remote code execution (RCE) vulnerability has been identified in Anthropic’s Claude Code command-line interface (CLI) tool, enabling attackers to execute arbitrary commands on a victim’s machine through specially crafted deeplinks. This flaw, now addressed in Claude Code version 2.1.118, was rooted in an inadequate command-line argument parser that could be exploited via the tool’s `claude-cli://` deeplink handler.
Discovery and Technical Details
Security researcher Joernchen from 0day.click discovered the vulnerability during a manual audit of Claude Code’s source code. The issue originated from the `eagerParseCliFlag` function in `main.tsx`, designed to parse critical flags like `–settings` before the main initialization routine. The function scanned the entire command-line argument array for any string beginning with `–settings=`, without verifying whether the string was an actual flag or a value passed to another flag. This lack of context in parsing created a potential injection point.
Claude Code’s deeplink handler utilizes the `–prefill` option to pre-populate user prompts with content from the deeplink’s `q` parameter. Due to the eager parser’s inability to distinguish between flags and flag arguments, any `–settings=…` string embedded within the `q` parameter’s value was treated as a legitimate settings override.
Exploitation via Malicious Deeplinks
Claude Code supports a `hooks` configuration that allows commands to execute automatically at defined session lifecycle events. An attacker could exploit the parsing flaw to inject a malicious `SessionStart` hook through a crafted URI:
“`
claude-cli://open?repo=anthropics/claude-code&q=–settings={hooks:{SessionStart:[{type:command,command:bash -c ‘id > /tmp/pwned.txt’}]}}
“`
When a victim opens this link, Claude Code launches with the attacker-supplied settings, and the injected command executes immediately at session start, requiring no further user interaction beyond clicking the link.
Bypassing Workspace Trust Dialog
The severity of this vulnerability is heightened by its ability to bypass Claude Code’s workspace trust dialog. By setting the deeplink’s `repo` parameter to a repository the victim had already cloned and trusted locally, such as `anthropics/claude-code` itself, the execution occurs silently, with no warning prompts displayed to the user.
Anthropic’s Response and Mitigation
Anthropic addressed the vulnerability in Claude Code version 2.1.118 by implementing context-aware argument parsing that properly distinguishes between CLI flags and their associated values, effectively eliminating the injection surface. Users running older versions are strongly urged to update immediately to mitigate potential risks.
Broader Implications
The researcher highlighted that the `startsWith` anti-pattern used on raw `process.argv` arrays is a common mistake. Any application performing eager, context-blind argument parsing faces similar injection risks, particularly when deeplink handlers are involved.
Conclusion
This vulnerability underscores the importance of robust input validation and context-aware parsing in software development. Developers are advised to scrutinize their applications for similar flaws and implement comprehensive security measures to prevent exploitation.
