%20--%3e%3cdefs%3e%3cstyle%3e%20.st0%20{%20fill:%20%23061b40;%20}%20.st1%20{%20fill:%20%23306af1;%20}%20.st2%20{%20fill:%20%235ce5cf;%20}%20%3c/style%3e%3c/defs%3e%3cg%3e%3cpath%20class='st0'%20d='M55,10.5h9v3h-9v9h12V7.5h-12v3ZM64,19.5h-6v-3h6v3Z'/%3e%3cpolygon%20class='st0'%20points='69%2016.5%2078%2016.5%2078%2019.5%2069%2019.5%2069%2022.5%2081%2022.5%2081%2013.5%2072%2013.5%2072%2010.5%2081%2010.5%2081%207.5%2069%207.5%2069%2016.5'/%3e%3cpolygon%20class='st0'%20points='95%2010.5%2095%207.5%2083%207.5%2083%2022.5%2095%2022.5%2095%2019.5%2086%2019.5%2086%2016.5%2095%2016.5%2095%2013.5%2086%2013.5%2086%2010.5%2095%2010.5'/%3e%3cpath%20class='st0'%20d='M40,1.5v21h11.6l1.4-1.4v-7.6h0c0,0-1.4-1.5-1.4-1.5l1.4-1.4V2.9l-1.4-1.4h-11.6ZM50,19.5h-7v-6h7v6ZM50,10.5h-7v-6h7v6Z'/%3e%3c/g%3e%3cpath%20class='st1'%20d='M23.1,24L14.7,4.8l-4.9,11.2h3.8l-1.8,4H3.3L12.1,0H2C.9,0,0,.9,0,2v20c0,1.1.9,2,2,2h21.1Z'/%3e%3cpath%20class='st2'%20d='M34,0h-16.8l10.6,24h6.2c1.1,0,2-.9,2-2V2C36,.9,35.1,0,34,0ZM32.5,20h-4V4h4v16Z'/%3e%3c/svg%3e)
Israeli security company LayerX recently disclosed a critical vulnerability targeting Claude Desktop Extensions (now renamed MCP Bundles). Researchers found that attackers could exploit this vulnerability to achieve "zero-click" remote code execution, with the potential impact reaching the maximum score of 10/10 on the CVSS scale.
The core of the vulnerability lies in the fact that Claude automatically processes input information from external connectors, such as Google Calendar. Attackers only need to send a Google Calendar invitation containing malicious instructions. When users let Claude handle the schedule, the AI model might autonomously decide to call plugins with command execution permissions to execute these hidden instructions. Due to the lack of strong protection in Claude's processing of such workflows, malicious code can be downloaded, compiled, and executed without user confirmation.
In response to this discovery, Anthropic stated that they currently do not plan to fix the issue. The company responded that MCP plugins are designed as local development tools, and their security boundaries are determined by the user's configuration and permissions. Users should take responsibility for the local servers they choose to install and authorize. Security experts, however, countered that although Claude claims the plugins run in a sandbox, the current permission control logic clearly fails to provide the expected protection against complex indirect prompt injection attacks.
Key Points:
🚨 High-Risk Vulnerability Alert: The Claude plugin system has been exposed to a level 10 security vulnerability, allowing malware to achieve zero-click remote execution through Google Calendar items.
📅 Attack Path: Exploiting the AI's ability to automatically read calendars, attackers can disguise malicious code as calendar tasks, prompting the AI to call high-privilege tools to execute attacks.
🛡️ Official Response: Anthropic believes this is beyond its current threat model, emphasizing that security responsibilities should be borne by users who independently install and authorize plugins.