Rtk
Monthly
Authorization bypass in rtk (rtk-ai) prior to 0.42.2 allows hidden command execution to slip past the permission splitter that gates the Claude Code permission hook. Because the splitter fails to handle Bash command-execution boundary constructs (such as command substitution and chained operators) inside an allowlisted prefix like git, rtk rewrite returns exit code 0 and the hook emits permissionDecision: "allow", causing the secondary command to execute without the user confirmation the policy was supposed to require. No public exploit identified at time of analysis and the issue is not in CISA KEV.
Arbitrary OS command execution in the @rtk-ai/rtk-rewrite 1.0.0 OpenClaw plugin allows an attacker who can influence the exec tool's command parameter - for example through an LLM agent prompt or gateway/tool-call input - to run commands with the privileges of the plugin/gateway process. The flaw stems from unsanitized input being interpolated into a shell-backed execSync() template that /bin/sh -c expands, letting $() and backtick substitutions fire before rtk runs. SSVC lists a proof-of-concept as available, though EPSS is low (0.23%, 14th percentile) and it is not in CISA KEV.
Authorization bypass in rtk (rtk-ai) prior to 0.42.2 allows hidden command execution to slip past the permission splitter that gates the Claude Code permission hook. Because the splitter fails to handle Bash command-execution boundary constructs (such as command substitution and chained operators) inside an allowlisted prefix like git, rtk rewrite returns exit code 0 and the hook emits permissionDecision: "allow", causing the secondary command to execute without the user confirmation the policy was supposed to require. No public exploit identified at time of analysis and the issue is not in CISA KEV.
Arbitrary OS command execution in the @rtk-ai/rtk-rewrite 1.0.0 OpenClaw plugin allows an attacker who can influence the exec tool's command parameter - for example through an LLM agent prompt or gateway/tool-call input - to run commands with the privileges of the plugin/gateway process. The flaw stems from unsanitized input being interpolated into a shell-backed execSync() template that /bin/sh -c expands, letting $() and backtick substitutions fire before rtk runs. SSVC lists a proof-of-concept as available, though EPSS is low (0.23%, 14th percentile) and it is not in CISA KEV.