AIKIDO-2026-10821
@anthropic-ai/claude-code is vulnerable to Remote Code Execution (RCE)
88
High Risk
This Affects:
@anthropic-ai/claude-codeTL;DR
Early startup merges settings by scanning raw argv for tokens that begin with the settings flag prefix, without fully respecting which argv slots are real flags versus values of other options. A crafted claude-cli deep link can embed that prefix inside the prefill payload so JSON settings are loaded from an argument that belongs to --prefill instead of an intentional settings flag. Malicious settings can define hooks that execute shell commands when a session starts, yielding attacker-controlled code execution on the machine that runs the tool. The fix ensures settings flags are not parsed from nested option arguments so this injection path is closed.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@anthropic-ai/claude-code is vulnerable to Remote Code Execution (RCE) in versions 0.0.1 - 2.1.117.
How to fix this
Upgrade the @anthropic-ai/claude-code library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant