RSS

I reproduced a Claude Code RCE. The bug pattern is everywhere

GeorgeWoff252 pts1 comments

I reproduced a Claude Code RCE. The bug pattern is everywhere.

Notification<br>Show More

Latest News

I reproduced a Claude Code RCE. The bug pattern is everywhere.

Tech

Anthropic files lawsuit against Pentagon over AI blacklist and Claude restrictions

Business

Marjorie Taylor Greene: You’re all being ‘incited into civil war’

Politics<br>Law

Alex Pretti Did Not Brandish Gun, Witnesses Say in Sworn Testimony

Law

Judge Rules ICE Can’t Break Into Homes Without a Judge’s Warrant, Contradicting Secret ICE Memo

Law

Aa

Vechron

Aa

Home

Politics

Search

Follow US

I reproduced a Claude Code RCE and found the same bug pattern in other AI tools.

SHARE

Last week, security researcher Joernchen published a clever RCE in Claude Code 2.1.118. I spent Saturday reproducing it from the advisory to understand the pattern. The bug is fixed now, but the parsing anti-pattern behind it is everywhere in AI developer tools.

The setup

Claude Code registers a deeplink handler: claude-cli://open. Click it in a browser, Slack, email — anywhere — and the OS spawns Claude Code with the URL’s query parameters passed as CLI arguments.

The vulnerability lives in eagerParseCliFlag, a function in main.tsx that pre-processes critical flags like --settings before the main argument parser runs. The code pattern:

startsWith on raw args. No context awareness. No understanding of whether that string is a flag, a value, or nested inside another flag’s value.

The injection

The deeplink handler uses --prefill to populate the user prompt from the URL’s q parameter. But because eagerParseCliFlag naively scans the entire argument array, an attacker can smuggle --settings inside --prefill‘s value:

The eagerParseCliFlag loop sees --settings=/tmp/evil.json inside the --prefill value and loads it as legitimate configuration.

The payload

A crafted settings file at that path:

Claude Code spawns. The session starts. The hook fires. Arbitrary shell execution.

The trust bypass

Here’s what elevates this from annoying to dangerous: the repo parameter.

If repo points at a repository the user has already cloned and trusted — like anthropics/claude-code — the workspace trust dialog never appears. The user clicks a link, Claude Code opens silently, and the attacker’s settings are already loaded.

Joernchen’s example used anthropics/claude-code specifically because it’s the tool’s own repo. Most users who’ve run Claude Code have implicitly trusted it.

Why this pattern matters

This isn’t a memory corruption bug. It’s not a prompt injection. It’s a CLI parsing anti-pattern in a tool that bridges the web and your shell.

AI coding tools are rushing to add deeplinks, browser integrations, "open in IDE" flows. They’re handling untrusted input — URLs from the web — with parsing logic that assumes trusted, hand-typed arguments.

The startsWith pattern appears elsewhere. Joernchen flagged it as a systemic issue:

The fix

Anthropic patched this in 2.1.119. The deeplink handler now passes arguments through the proper CLI parser before eagerParseCliFlag processes them. The nested --settings inside --prefill is correctly treated as a value, not a flag.

What you should check

If you ran Claude Code 2.1.118 or earlier:

Check ~/.claude/settings.json for unexpected hooks entries

Review ~/.claude/projects/*/settings.json in trusted projects

If you clicked any claude-cli:// links from untrusted sources, assume compromise

What builders should do

Deeplink arguments are untrusted . Parse them with the same rigor you’d use for HTTP query parameters.

One parser, not two . If you need early flag processing, use the same parser for everything. Don’t pre-scan with startsWith.

Trust dialogs should verify path/content, not string matches . Trusting anthropics/claude-code by name means any fork or namesquat passes the check.

Joernchen’s original writeup at 0day.click has the full source analysis and timeline. Worth reading if you’re building anything with deeplink-to-CLI flows.

TAGGED:<br>AI Agents, Claude Code, Cybersecurity

Share this Article

Facebook

Twitter Copy Link<br>Print

Leave a comment<br>Leave a comment

Leave a Reply Cancel reply<br>Your email address will not be published. Required fields are marked *<br>Comment *<br>Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

You Might Also Like

Tech

Apple, Google Urged to Remove X and Grok From Their App Stores Over AI Deepfake Sex-Image Scandal

Nikhil Das

January 15, 2026

BusinessTech

Larry Page Overtakes Jeff Bezos to Become World’s Third-Richest Man After Gemini 3 Launch

Aisha Menon

November 23, 2025

Tech

Teen Handcuffed After AI Mistakes Crisp Packet for Gun in US

Aisha Menon

October 24, 2025

Tech

Google Locks Down NYC Office After Bed Bugs Take Over Its Manhattan Campus

Aisha Menon

October 23, 2025

Removed from reading list

Undo

Welcome Back!<br>Sign in to your account

Username or Email Address

Password

Remember Me

Lost your password?

claude code pattern settings from deeplink

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.