So how was the Claude Code CLI vulnerability discovered?
Joernchen from 0day.click found the critical Claude Code CLI vulnerability during a manual source-code audit. According to the technical findings, the underlying vulnerability stemmed from how the Claude Code CLI handled incoming command-line arguments. Source: Cyberpress
The eagerParseCliFlag parsing flaw
Also, the issue sat inside an internal asset named eagerParseCliFlag. The fundamental flaw was a parsing system that operated entirely independent of context. Also, the eagerParseCliFlag function scans command-line arguments for overrides like –settings= before the app starts.
However, the design failed to check whether the string was a real flag or part of another input. This lack of sanitization meant that any flag-like input could trick the system into treating it as a directive. Source: Cyberpress
Exploitation via the claude-cli:// protocol handler
This parsing oversight transformed from a minor logic bug into a severe security vector when paired with Claude Code’s custom protocol handler (claude-cli://). In modern operating systems, custom URL schemes allow web browsers to launch local desktop applications directly. An attacker could craft a malicious deeplink containing an injected payload hidden inside the prompt fields.
Because the pre-parsing engine processed these strings blindly, it registered the attacker’s hidden string as a valid override. By exploiting this sequence, threat actors could inject malicious shell commands into the tool’s automated hooks, including SessionStart.
When the victim clicked the rigged URL, the terminal assistant ran the hook and the attacker’s script without approval. What elevated this vulnerability to a high-severity threat was its stealth capability.
Bypassing workspace trust guardrails
Under normal conditions, Claude Code adds built-in guardrails and often prompts users with a workspace trust dialog. This mechanism prevents unauthorized code execution in untrusted environments. However, attackers found a clever way to bypass this defense.
By changing the repository path in the malicious deeplink to a trusted local folder, the exploit could run silently. Believing it was safe, the system suppressed all warnings. As a result, the developer missed the malicious payload.
Patch and recommended remediation
Protecting developer environments from supply chain and tooling vulnerabilities is vital to preventing broader enterprise breaches. Anthropic moved quickly to mitigate the risk, officially deploying a security patch in Claude Code version 2.1.118. The updated software completely replaces the flawed eagerParseCliFlag logic with a robust, context-aware argument processor.
This update ensures that parameters are only recognized when users declare them in a safe context. Security experts advise software teams using the Claude Code CLI to upgrade to version 2.1.118 or later immediately.
[Attacker Link: claude-cli://...] ──> [eagerParseCliFlag (No Context Check)] ──> [Malicious Configuration Override] ──> [Automated Session Execution]
claude-cli://prompt?text=hello--settings=MaliciousPayload