What's Happening?
A critical remote code execution (RCE) vulnerability has been identified in Anthropic's Claude Code CLI tool. This flaw allows attackers to execute arbitrary commands on a victim's machine by tricking
them into clicking a specially crafted deeplink. The vulnerability was discovered by security researcher Joernchen of 0day.click during a manual audit of Claude Code's source code. The issue was rooted in a naive command-line argument parser that could be exploited through the tool's claude-cli:// deeplink handler. The flaw has been patched in Claude Code version 2.1.118, which now includes context-aware argument parsing to prevent such injection attacks. Users are strongly advised to update to the latest version to mitigate this risk.
Why It's Important?
The discovery of this vulnerability highlights significant security risks associated with command-line tools that handle deeplinks. Such vulnerabilities can lead to unauthorized access and control over a user's system, posing a threat to data integrity and privacy. The flaw in Claude Code underscores the importance of robust security practices in software development, particularly in tools that are widely used in development environments. The potential for exploitation without user interaction, beyond clicking a link, makes this a critical issue for users of the affected software. The incident serves as a reminder for developers to implement thorough security audits and updates to protect against similar vulnerabilities.
What's Next?
Following the patch release, users of Claude Code are urged to update to version 2.1.118 immediately to protect against potential exploitation. Security researchers and developers are likely to scrutinize other command-line tools for similar vulnerabilities, potentially leading to further discoveries and patches. Organizations using Claude Code should review their security protocols and ensure that all systems are updated promptly. The broader cybersecurity community may also use this incident to advocate for improved security standards and practices in software development.
