I reproduced a Claude Code RCE. The bug pattern is everywhere (vechron.com)

Security researcher Joernchen recently exposed a remote code execution (RCE) vulnerability in Claude Code version 2.1.118, which stemmed from flawed CLI argument parsing. The issue arises from the tool’s deeplink handler that registers URLs to spawn Claude Code with parameters passed as command-line arguments. The vulnerability is located in the eagerParseCliFlag function, which inadequately processes these arguments, allowing attackers to manipulate them and inject malicious commands without triggering trust dialogs. This discovery is significant for the AI/ML community as it highlights a common parsing anti-pattern in many AI developer tools that integrate user inputs from untrusted sources, such as URLs. Joernchen's findings underscore the need for better security measures, emphasizing that developers should use rigorous parsing for deeplink inputs similar to how they would handle HTTP query parameters. The pattern of using naive checks like "startsWith" is flagged as systemic, necessitating a reassessment of how CLI arguments are processed in AI tools to prevent potential exploitation. Anthropic has since patched the vulnerability in version 2.1.119, but the incident serves as a cautionary tale for developers in the fast-evolving landscape of AI software integration.