A dangerous vulnerability found in Anthropic’s popular Claude Code developer model could have allowed bad actors to grab control of a victim’s system by luring them into clicking on a crafted malicious deeplink.
Once in, the attacker could exploit the remote code execution (RCE) security flaw to execute arbitrary commands – such as shell commands – into the target’s Claude Code model.
The vulnerability in version 2.1.118 of the model has since been fixed, but it’s another example of the security issues in these developer-focused tools that arise as adoption accelerates.
A survey of more than 1,000 developers around the world by CodeSignal, which offers an AI-native skills platform to assess and develop technical talent, found that 81% of respondents said they’re using AI for development, with companies increasingly mandating the use of coding assistants.
The RCE vulnerability in Claude Code was uncovered by security researcher Joernchen of 0day.click as he manually worked through the model’s source code “looking at different configuration options and tried to see what’s actually ‘useful’ from an attacker’s perspective.”
A Parsing Problem
After doing some “spelunking in the early-executed code in main.tsx,” Joernchen wrote that he found a problem in the eagerParseCliFlag function in the model’s main.tsx, which is used to parse certain command-line flag like –settings before the main initialization route runs.
The issue stemmed from eagerParseCliFlag, a function in main.tsx designed to parse critical flags like –settings before the main initialization routine runs.
“I came to the conclusion that this style of parsing was very handy to exploit Claude Code’s deeplink handling,” the researcher wrote. “Traditionally deeplink handlers tend to be vulnerable to some shell escape issues. This however was not the problem here.”
At issue, he wrote, is that eagerParseCliFlag “naively parsed” the entire command line with any string starting with “–settings=…,” rather than the actual command line flags and their values.
Injecting Arbitrary Settings
“This created a conveniently exploitable vulnerability when combined with the Claude Code deeplink handler for claude-cli://open URIs,” Joernchen wrote. “Because of this parsing behavior, it was possible to inject arbitrary settings into the spawned Claude Code instance, including the execution of arbitrary commands via a hooks setting.”
The deeplink handler would use an option aimed at prefilling the user prompt with the deeplink’s q parameter. However, the very eager settings parser didn’t see that any –settings=… which is used as an argument to the –prefill CLI option, is an argument to the option and not an option itself. The result was the eager parser would process it as a legitimate settings flag.
The Model Spawns
Joernchen showed an example of how to inject a SessionStart hook via a crafted deep link aimed at the macOS operating system. If the target opens the link, the Claude model spawns, creating a new and independent agent that includes the settings supplied by the attacker, complete with the injected command. The command goes into action when the session starts, without the user having to do anything else.
Adding to the problem, a bad actor could bypass the workspace trust dialog, according to Joernchen.
“If the repo parameter in the deep link is set to a repository the user has already cloned locally and trusted (like anthropics/claude-code), the execution happened without any warning prompts,” the researcher wrote.
He added that “the pattern of using startsWith on the full command line array is a somewhat problematic anti-pattern that allows flags to be sneaked into values. The parsing of command line flags and their arguments should always be done in full context to prevent this exact type of injection.”