A critical security vulnerability was recently discovered in Anthropic’s Claude Code CLI tool that could have allowed attackers to execute arbitrary commands on a victim’s machine. The flaw, which has been patched in version 2.1.118, was identified by security researcher Joernchen during a manual audit of the tool’s source code.
How the Exploit Worked
The vulnerability originated in a function called eagerParseCliFlag, which was designed to parse critical flags like –settings before the main initialization routine runs. The problem was that this function scanned the entire command line argument array for any string beginning with –settings=, without tracking whether that string was an actual flag or merely a value passed to another flag. This context blind parsing created a dangerous injection point.
Claude Code’s deeplink handler uses the –prefill option to pre-populate user prompts with content from the deeplink’s q parameter. Because the eager parser did not distinguish between flags and flag arguments, any –settings= string embedded inside the q parameter’s value was silently treated as a legitimate settings override.
Impact and Scope
Claude Code supports a powerful hooks configuration that allows commands to execute automatically at defined session lifecycle events. An attacker could exploit the parsing flaw to inject a malicious SessionStart hook via a crafted URI. When a victim opened such a link, Claude Code would spawn with the attacker supplied settings, and the injected command would fire immediately at session start with no user interaction required beyond clicking the link.
Compounding the severity, the vulnerability enabled a complete bypass of Claude Code’s workspace trust dialog. By setting the deeplink’s repo parameter to a repository the victim had already cloned and trusted locally, such as anthropics/claude-code itself, the execution occurred silently with no warning prompts displayed to the user. Anthropic has addressed the vulnerability in Claude Code version 2.1.118.
Source: Cyber Security News
