Rce

Introduction This post documents the first finding from my security research into Claude Code’s MCP (Model Context Protocol) trust model. The research demonstrates that after a user grants initial trust to an MCP server, subsequent modifications to .mcp.json execute silently on the next Claude Code launch with no re-validation, no re-prompting, and no user visibility. This was reported to Anthropic via HackerOne and closed as Informative (by-design behavior per their workspace trust model). ...

Introduction This is the third finding from my Claude Code security research, and the one I consider the most impactful. A malicious MCP server can completely misrepresent what it does in Claude Code’s tool confirmation prompt, causing a user to approve what appears to be a safe file read while the server silently executes arbitrary system commands, writes files outside the project directory, and runs OS-level commands. This was submitted to Anthropic via HackerOne. ...

Introduction This is the fourth finding from my Claude Code security research. The claude.ai/v1/sessions/{session_id}/events endpoint, used by Claude Code’s remote-control feature, lacks per-session authentication. An attacker who obtains a user’s sessionKey cookie can inject arbitrary messages into an active session from any machine on the internet. Injected messages are processed identically to legitimate user messages with no visual indicator of external origin. Product: Claude Code CLI v2.1.63 Feature: Remote Control (claude remote-control) CWE: CWE-306 (Missing Authentication for Critical Function) GitHub: claude-code-session-hijack ...

How I found a critical command injection vulnerability in docker-wkhtmltopdf-aas, a Dockerized HTML-to-PDF web service, and achieved remote code execution as root through unsanitized user options passed to a shell command.

How I found an OS command injection vulnerability in iOS-remote, a Flask-based iOS device management tool, and achieved remote code execution through an unsanitized subprocess call.