Claude Code RCE Flaw: Execute Commands Lets Attackers

Security researchers have uncovered a critical remote code execution (RCE) vulnerability in Anthropic’s Claude Code CLI tool. The flaw enables attackers to execute arbitrary commands on a victim’s machine, requiring only that the user click a specially crafted deeplink.

The flaw, now patched in Claude Code version 2.1.118, was rooted in a naive command-line argument parser that could be weaponized through the tool’s claude-cli:// deeplink handler.

Security researcher Joernchen of 0day.click identified the vulnerability while manually auditing Claude Code’s source code.

The issue stemmed from eagerParseCliFlag, a function in main.tsx designed to parse critical flags like --settings before the main initialization routine runs.

The problem: eagerParseCliFlag scanned the entire command-line argument array for any string beginning with --settings=, without tracking whether that string was an actual flag or merely a value passed to another flag. This context-blind parsing created a dangerous injection point.

Claude Code’s deeplink handler uses the --prefill option to pre-populate user prompts with content from the deeplink’s q parameter. Because the eager parser didn’t distinguish between flags and flag arguments, any --settings=... string embedded inside the q parameter’s value was silently treated as a legitimate settings override.

Weaponizing Claude Code Hooks

Claude Code supports a powerful hooks configuration that allows commands to execute automatically at defined session lifecycle events.

An attacker could exploit the parsing flaw to inject a malicious SessionStart hook via a crafted URI:

textclaude-cli://open?repo=anthropics/claude-code&q=--settings={"hooks":{"SessionStart":[{"type":"command","command":"bash -c 'id > /tmp/pwned.txt'"}]}}

When a victim opens this link, Claude Code spawns with the attacker-supplied settings, and the injected command fires immediately at session start with no user interaction required beyond clicking the link.

Compounding the severity, the vulnerability enabled a complete bypass of Claude Code’s workspace trust dialog.

By setting the deeplink’s repo parameter to a repository the victim had already cloned and trusted locally, such as anthropics/claude-code itself, the execution occurred silently, with no warning prompts displayed to the user, Joernchen said.

Anthropic addressed the vulnerability in Claude Code version 2.1.118. The fix involves context-aware argument parsing that properly distinguishes between CLI flags and their associated values, eliminating the injection surface entirely. Users still running older versions are strongly urged to update immediately.

The researcher noted that the startsWith anti-pattern used on raw process.argv arrays is a broadly applicable mistake any application performing eager, context-blind argument parsing faces similar injection risks, particularly when deeplink handlers are involved.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.