Skip to main content

Attackers Can Exploit a Claude Code RCE Flaw to Take Command of System

A dangerous vulnerability found in Anthropic’s popular Claude Code developer model could have allowed bad actors to grab control of a victim’s system by luring them into clicking on a crafted malicious deeplink.

Once in, the attacker could exploit the remote code execution (RCE) security flaw to execute arbitrary commands – such as shell commands – into the target’s Claude Code model.

The vulnerability in version 2.1.118 of the model has since been fixed, but it’s another example of the security issues in these developer-focused tools that arise as adoption accelerates.

A survey of more than 1,000 developers around the world by CodeSignal, which offers an AI-native skills platform to assess and develop technical talent, found that 81% of respondents said they’re using AI for development, with companies increasingly mandating the use of coding assistants.

The RCE vulnerability in Claude Code was uncovered by security researcher Joernchen of 0day.click as he manually worked through the model’s source code “looking at different configuration options and tried to see what’s actually ‘useful’ from an attacker’s perspective.”

A Parsing Problem

After doing some “spelunking in the early-executed code in main.tsx,” Joernchen wrote that he found a problem in the eagerParseCliFlag function in the model’s main.tsx, which is used to parse certain command-line flag like –settings before the main initialization route runs.

The issue stemmed from eagerParseCliFlag, a function in main.tsx designed to parse critical flags like –settings before the main initialization routine runs.

“I came to the conclusion that this style of parsing was very handy to exploit Claude Code’s deeplink handling,” the researcher wrote. “Traditionally deeplink handlers tend to be vulnerable to some shell escape issues. This however was not the problem here.”

At issue, he wrote, is that eagerParseCliFlag “naively parsed” the entire command line with any string starting with “–settings=…,” rather than the actual command line flags and their values.

Injecting Arbitrary Settings

“This created a conveniently exploitable vulnerability when combined with the Claude Code deeplink handler for claude-cli://open URIs,” Joernchen wrote. “Because of this parsing behavior, it was possible to inject arbitrary settings into the spawned Claude Code instance, including the execution of arbitrary commands via a hooks setting.”

The deeplink handler would use an option aimed at prefilling the user prompt with the deeplink’s q parameter. However, the very eager settings parser didn’t see that any –settings=… which is used as an argument to the –prefill CLI option, is an argument to the option and not an option itself. The result was the eager parser would process it as a legitimate settings flag.

The Model Spawns

Joernchen showed an example of how to inject a SessionStart hook via a crafted deep link aimed at the macOS operating system. If the target opens the link, the Claude model spawns, creating a new and independent agent that includes the settings supplied by the attacker, complete with the injected command. The command goes into action when the session starts, without the user having to do anything else.

Adding to the problem, a bad actor could bypass the workspace trust dialog, according to Joernchen.

“If the repo parameter in the deep link is set to a repository the user has already cloned locally and trusted (like anthropics/claude-code), the execution happened without any warning prompts,” the researcher wrote.

He added that “the pattern of using startsWith on the full command line array is a somewhat problematic anti-pattern that allows flags to be sneaked into values. The parsing of command line flags and their arguments should always be done in full context to prevent this exact type of injection.”



from DevOps.com https://ift.tt/E1FjuBU
Labels:

Comments

Post a Comment

Popular posts from this blog

Cursor’s New SDK Turns AI Coding Agents Into Deployable Infrastructure

For most of its life, Cursor has been an IDE. A very good one. But with the public beta of the Cursor SDK, the company is making a different kind of move — one that should get the attention of DevOps teams. The Cursor SDK is a TypeScript library that gives engineers programmatic access to the same runtime, models, and agent harness that power Cursor’s desktop app, CLI, and web interface. In short, the agents that used to live inside an editor can now be invoked from anywhere in your stack. That’s a meaningful shift in how AI coding tools fit into software delivery pipelines. From the Editor to the Pipeline If you’ve used Cursor before, the workflow is familiar — you interact with an agent in real time, asking it to write functions, fix bugs, or review code. The SDK breaks that dependency on interactive use. Now you can call those same agents programmatically, from a CI/CD trigger, a backend service, or embedded inside another tool. Getting started is a single inst...
Post a Comment
Read more

Mistral Moves Coding Agents to the Cloud — and Gets Out of Your Way

For the past year or so, AI coding agents have been tethered to your local machine. You kick off a task, watch the terminal, and babysit every step. It works — but it’s not exactly hands-free. Mistral just changed that. On April 29, the Paris-based AI company announced remote coding agents for its Vibe platform, powered by a new model called Mistral Medium 3.5. The idea is simple: Instead of running coding sessions on your laptop, they now run in the cloud — asynchronously, in parallel, and without you watching over them. What’s Actually New Coding sessions can now work through long tasks while you’re away. Many can run in parallel, and you no longer become the bottleneck at every step the agent takes. That’s the core pitch. You start a task from the Mistral Vibe CLI or directly from Le Chat — Mistral’s AI assistant — and the agent handles the rest. When it’s done, it opens a pull request on GitHub and notifies you, so you review the result inste...
Post a Comment
Read more

OpenAI Debuts Symphony to Orchestrate Coding Agents at Scale

OpenAI has unveiled Symphony, an open-source specification that shifts how software development teams deploy AI in workflows, moving from interactive coding assistance toward continuous orchestration of autonomous agents. Symphony reframes project management tools as operational hubs for AI-driven coding. Rather than prompting an assistant for individual tasks, developers assign work through issue trackers, allowing agents to execute tasks in parallel and deliver outputs for human review. The change reflects a trend in enterprise AI in which systems are increasingly embedded into production pipelines rather than used as standalone tools. Symphony emerged from internal experimentation at   OpenAI , where engineers attempted to scale the use of   Codex   across multiple concurrent sessions. While the agents proved capable, human operators became the limiting factor. Engineers found they could only manage a handful of sessions before coordination overhead offset pro...
Post a Comment
Read more