Claude Code RCE Vulnerability: Click a Malicious Link to Execute Arbitrary Commands

A critical remote code execution vulnerability (CVE not yet disclosed) has been discovered in Anthropic’s Claude Code CLI tool. Attackers can trick victims into clicking a specially crafted deeplink, which then silently executes arbitrary commands on the target device without any interaction or confirmation. The vulnerability has been patched in Claude Code version 2.1.118.

Security researcher Joernchen (from 0day.click) identified the flaw while auditing the Claude Code source code. The root cause lies in the argument parser handling the claude-cli:// protocol — it fails to properly validate the --prefill option in the URI. Attackers can craft a malicious URI, inject the payload via the SessionStart hook, and set the repo parameter to a locally trusted repository (e.g., Anthropic’s own anthropics/claude-code), causing commands to execute silently in the background with no warning popup.

The attack barrier is low: attackers simply create a seemingly harmless link and use social engineering or web redirects to trick users into clicking it. Because the deeplink handler directly parses the malicious parameters, no sandbox bypass or privilege escalation is needed. Anthropic has released an emergency update that fixes the parsing logic, and all users are urged to upgrade to version 2.1.118 or later immediately and treat any untrusted claude-cli:// links with caution.

Bottom line: This vulnerability is another wake-up call — deeplink handling in CLI tools is becoming a high-risk attack surface. When implementing URI handlers, developers should apply whitelist filtering to all parameters by default and add user confirmation mechanisms. Otherwise, a seemingly minor parsing error can lead to full remote control.