Critical RCE Vulnerabilities In Claude Desktop Let Attackers...

A critical remote code execution (RCE) flaw in three official extensions for Anthropic’s Claude Desktop. These vulnerabilities, affecting the Chrome, iMessage, and Apple Notes connectors, stem from unsanitized command injection and carry a high severity score of CVSS 8.9.

Published and promoted directly by Anthropic at the top of their extension marketplace, the flaws could allow attackers to execute arbitrary code on users’ machines through seemingly innocent interactions with the AI assistant. Fortunately, Anthropic has patched all three issues.

The discovery from KOI Security highlights the risks in emerging AI ecosystems, where extensions bridge powerful language models and local systems with minimal safeguards.

Unlike browser add-ons, these tools operate with full system privileges, amplifying the potential damage from basic security oversights.

Claude Desktop Extensions function as packaged MCP servers, distributed as .mcpb bundles, essentially zipped archives with server code and function manifests.

They offer a one-click installation similar to Chrome extensions but lack the sandboxing that protects browser environments. Instead, they run unsandboxed on the host machine, granting access to files, commands, credentials, and system settings.

This design positions them as privileged intermediaries between Claude’s AI and the operating system, making them potent but perilous.

The vulnerabilities exploited this trust. Each extension processed user inputs such as URLs or messages via AppleScript commands without proper sanitization.

For instance, a command to open a URL in Chrome used template literals to insert the input directly, like: tell application “Google Chrome” to open location.

An attacker could craft a malicious input to escape the string context and inject arbitrary AppleScript, which then triggers shell commands with elevated privileges.

Source: Cybersecurity News