Researchers at Koi Security have found that three of Anthropic’s official extensions for Claude Desktop were vulnerable to prompt injection.
The vulnerabilities, reported through Anthropic’s HackerOne program on July 3 and verified as high severity (CVSS 8.9), affected the Chrome, iMessage and Apple Notes connectors.
These extensions are packaged Model Context Protocol (MCP) servers available for download from Anthropic’s marketplace. They allow Claude, the underlying large language model (LLM) which all Anthropic tools rely on, to act on behalf of the user using the web and applications they connect it with.
At first, these extensions look very similar to browser extensions, such as Chrome extensions, providing that same one-click install experience.
Unsanitized Command Injection in Unsandboxed Extensions
While Chrome extensions run in a sandboxed browser process, Claude Desktop extensions run fully unsandboxed on the user’s device, with full system permissions.
“That means they can read any file, execute any command, access credentials and modify system settings. They’re not lightweight plugins – they’re privileged executors bridging Claude’s AI model and your operating system,” the Koi Security researchers wrote in a November 5 report.
The vulnerabilities affecting the three extensions are due to unsanitized command injection, which could turn any benign question to Claude into remote code execution (RCE) on a machine if a malicious actor manages to craft content that get accessed by Claude Desktop.
The assistant, acting in good faith, executes malicious commands because it believes it’s following legitimate instructions.
The attacker could thus be able to collect key information, such as SSH keys, AWS credentials or browser passwords.
These vulnerabilities were fully fixed by Anthropic in version 0.1.9. These fixes were verified by Koi Security on September 19.
