Critical 0-Click Vulnerability in Claude Desktop Extensions Exposes Over 10,000 Users to Remote Attacks
A critical zero-click remote code execution (RCE) vulnerability has been identified in Claude Desktop Extensions (DXT), exposing over 10,000 active users to potential remote attacks. This flaw allows attackers to compromise systems without any user interaction, simply by sending a maliciously crafted Google Calendar event.
Security research firm LayerX discovered this vulnerability, assigning it a maximum severity score of 10/10 on the Common Vulnerability Scoring System (CVSS). The issue stems from a fundamental architectural flaw in how Large Language Models (LLMs) like Claude handle trust boundaries, particularly in the Model Context Protocol (MCP) ecosystem. This flaw enables AI agents to autonomously chain low-risk data sources to high-privilege execution tools without user consent.
Understanding the Vulnerability
Claude Desktop Extensions function as MCP servers running with full system privileges on the host machine. Unlike modern browser extensions that operate within sandboxed environments, these extensions act as active bridges between the AI model and the local operating system. This design means that if an extension is coerced into executing a command, it does so with the same permissions as the user, granting access to files, credentials, and system settings.
The Exploit Mechanism
The exploit requires no complex prompt engineering or direct interaction from the victim. An attacker can send a Google Calendar event titled Task Management with a description instructing the cloning of a malicious Git repository and execution of a makefile. When the user prompts Claude with a request like Please check my latest events in Google Calendar and then take care of it for me, the model interprets this as authorization to execute the tasks found in the calendar event. This sequence occurs without specific confirmation prompts, leading to a full system compromise.
Implications and Recommendations
This vulnerability highlights the risks associated with AI systems autonomously chaining tools together without proper safeguards. Users are advised to exercise caution when integrating AI assistants with system-level tools and to monitor for unusual activities. Implementing strict access controls and regularly updating software can help mitigate such risks.
