Unauthorized Prompt Injection to RCE in Anthropic's Claude Code Action (johnstawinski.com)

A recent security vulnerability in Anthropic's Claude Code Action was uncovered, demonstrating a critical risk associated with unauthorized prompt injection leading to remote code execution (RCE). The vulnerability, rated 7.7 on the CVSS scale, allows an external, unauthenticated attacker to exploit prompt injections to execute malicious code within GitHub Actions workflows. As LLMs, like Claude, gain more agency and access to sensitive actions—such as managing source code repositories—this flaw highlights the dangers of improperly managed AI systems where user-generated inputs can alter actions taken by an LLM. The significance of this vulnerability lies in its potential to facilitate supply chain attacks, where attackers could not only exfiltrate sensitive information and push unauthorized code changes to repositories but also craft malicious GitHub Actions that compromise self-hosted runners. The findings underscore the need for rigorous security measures when utilizing LLMs in environments that handle critical functions, as even benign interactions with AI could inadvertently provide gateways for exploitation. This situation serves as a wake-up call for the AI/ML community to enhance protective protocols against prompt injections in systems that have significant operational capabilities.