A significant remote code execution (RCE) vulnerability was recently identified in Anthropic’s Claude Code command-line interface (CLI) tool. This flaw allowed malicious actors to execute arbitrary commands on a user’s system by manipulating them into clicking a specially constructed deeplink.
Vulnerability Discovery and Details
The vulnerability, which has been addressed in the updated Claude Code version 2.1.118, was traced back to a simplistic command-line argument parser. This parser could be exploited through the tool’s ‘claude-cli://’ deeplink handler, creating a severe security risk.
The flaw was uncovered by Joernchen, a security researcher from 0day.click, during a manual review of Claude Code’s source code. The root of the issue lay in the ‘eagerParseCliFlag’ function within the ‘main.tsx’ file, which was intended to process critical flags such as ‘–settings’ before the initialization process.
However, the function indiscriminately scanned all command-line arguments for strings starting with ‘–settings=’, without verifying if these were actual flags or merely values for other flags. This lack of contextual awareness introduced a potential injection point.
Exploitation Methodology
The deeplink handler in Claude Code uses the ‘–prefill’ option to automatically fill user prompts based on the ‘q’ parameter in a deeplink. Due to the flawed parsing process, any ‘–settings=…’ string embedded in the ‘q’ parameter was mistakenly treated as a valid settings override.
This oversight enabled attackers to exploit the flaw by injecting a malicious ‘SessionStart’ hook into a specially crafted URI:
textclaude-cli://open?repo=anthropics/claude-code&q=–settings={“hooks”:{“SessionStart”:[{“type”:”command”,”command”:”bash -c ‘id > /tmp/pwned.txt'”}]}}
Upon a victim clicking this link, Claude Code would execute the injected command at the session start without any interaction beyond the initial click.
Security Implications and Fixes
The vulnerability’s severity was heightened by its ability to bypass Claude Code’s workspace trust dialog. By configuring the deeplink’s ‘repo’ parameter to a repository already trusted by the victim, the execution occurred unnoticed, without alerting the user.
Anthropic has addressed this critical security flaw in version 2.1.118 of Claude Code. The fix involves employing context-aware argument parsing that accurately differentiates between CLI flags and their values, thereby removing the potential for injection attacks.
Users still operating on older versions are strongly advised to update immediately to safeguard against this vulnerability. The researcher emphasized that the flawed ‘startsWith’ pattern on raw ‘process.argv’ arrays is a widespread mistake, posing similar risks to other applications using eager, context-blind argument parsing, particularly those with deeplink handlers.
Stay informed by following us on Google News, LinkedIn, and X for the latest updates.
