cybersecuritynews.com via Reddit

Claude Code RCE patched after deeplink exploit

anthropic coding tools cybersecurity ai-security

Key insights

  • The vulnerability allowed arbitrary shell command execution via crafted claude-cli:// URLs, patched in version 2.1.118.
  • Silent code execution was possible when the target repository was already locally trusted, bypassing the workspace dialog entirely.
  • The flaw was in an eager flag parser that treated user-supplied URL parameters as legitimate CLI flag overrides.

Why this matters

Developer tooling has become a high-value attack surface because compromising a single engineer's machine can cascade into production systems, secrets stores, and CI pipelines. This vulnerability required no elevated privileges and no software installation from the victim, only a clicked link, which puts it within reach of phishing and social engineering at scale. As AI coding assistants embed deeper into development workflows, their CLI handlers and deeplink schemes represent a new category of supply-chain-adjacent risk that most security teams have not yet added to their threat models.

Summary

A remote code execution vulnerability in Claude Code allowed attackers to run arbitrary shell commands on a developer's machine simply by getting them to click a crafted URL. The flaw lived in the deeplink handler for claude-cli:// URLs, where an eager flag parser treated embedded --settings= strings inside the q parameter as legitimate flag overrides rather than user input to be sanitized. The most dangerous scenario: if a target repository was already marked as locally trusted, the workspace trust dialog was bypassed entirely, meaning shell commands executed silently with no prompt to the developer. An attacker needed only to share a malicious link in a chat message, GitHub issue, or doc to trigger execution. Essentially: (Anthropic, security researcher Joernchen of 0day.click) disclosed and patched a supply-chain-adjacent attack surface baked into the CLI tooling millions of developers use daily. - The flaw was in flag parsing logic, not in the AI model itself, meaning it was a classic injection vulnerability dressed in AI tooling clothing. - Silent execution was possible when the target had already trusted the repo, removing the last user-visible checkpoint. - The patch shipped in Claude Code version 2.1.118. As AI developer tools become a primary attack surface for targeting engineering organizations, CLI deeplink handlers are now a concrete threat vector that security teams need to add to their audit checklists.

Potential risks and opportunities

Risks

  • Developer teams that have not updated to Claude Code 2.1.118 remain exposed to silent RCE via phishing links in GitHub issues, Slack messages, or code review comments targeting trusted repos.
  • Organizations using Claude Code in CI/CD pipelines with pre-trusted workspace directories face elevated risk, as automated trust grants could have made exploitation entirely non-interactive.
  • If exploitation occurred pre-patch, attackers with foothold access to engineering machines could have exfiltrated API keys, SSH credentials, or cloud provider tokens without triggering any alert.

Opportunities

  • Security vendors specializing in developer tooling (Semgrep, Socket.dev, Snyk) can build detection rules for malicious claude-cli:// deeplink patterns and market them to enterprise security teams now aware of this vector.
  • Enterprise security platforms (CrowdStrike, SentinelOne) have an opening to pitch CLI deeplink monitoring as a feature to customers with large AI-tooling footprints.
  • Anthropic can accelerate trust with enterprise buyers by publishing a detailed post-mortem and introducing a formal bug bounty scope expansion covering all CLI surfaces, which would differentiate it from competitors with less transparent disclosure practices.

What we don't know yet

  • Whether any exploitation in the wild occurred between the vulnerability's introduction and the 2.1.118 patch, and across which Claude Code version range the flaw existed.
  • Whether other AI CLI tools (Cursor, Copilot CLI, Gemini CLI) use similar deeplink or flag-parsing architectures that carry the same class of vulnerability.
  • How Anthropic's internal security review process missed the flag injection pattern before shipping, and whether a broader audit of the deeplink handler surface is underway.

Originally reported by cybersecuritynews.com

Read the original article →

Original headline: Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks