rtk: Permission-gate bypass in rtk rewrite auto-allow via unsplit shell separators
Description
rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nested execution. As a result, a command beginning with an allowed prefix such as git could hide a second command behind one of these constructs. rtk rewrite returned exit code 0, causing the Claude hook to emit permissionDecision: "allow". The rewritten command still contained the hidden command, so it ran without the user confirmation or denial that the permission rules were intended to enforce. This vulnerability is fixed in 0.42.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
Root cause
"The permission splitter in rtk rewrite did not treat newline, background `&`, command substitution (`$(...)`), or backtick substitution as command boundaries, causing a parser differential between the permission checker and Bash that allowed hidden commands to bypass authorization."
Attack vector
An attacker induces an LLM agent (e.g. through prompt injection or malicious repository content) to run a crafted shell command that begins with an allowed prefix such as `git` but appends a hidden command via newline (`\n`), background operator (`&`), command substitution (`$(...)`), or backtick substitution. The permission splitter in rtk rewrite only inspected the outer prefix, returned exit code 0 (auto-allow), and the hook emitted `permissionDecision: "allow"`. Bash then executed the full command including the hidden payload, bypassing the user's configured deny or ask rules. [CWE-863] [CWE-88] [ref_id=1]
What the fix does
The advisory does not include a patch diff, but the test results on the patch branch (`security/fix-permission-splitter-bypass`, commit `39859913c523`) show the fix makes the permission splitter treat newline, background `&`, command substitution, and backtick substitution as command boundaries. The hidden commands now either return exit=2 (deny) or exit=3 (not auto-allowed) instead of exit=0 (auto-allow). The advisory recommends splitting on those constructs outside quotes, never auto-allowing commands that contain non-attestable shell constructs, and preserving correct behavior for redirect operators such as `2>&1`. [ref_id=1]
Preconditions
- configrtk is installed as the Claude Code PreToolUse hook.
- configThe user's permission rules include a permissive allow rule matching the outer command (e.g. `Bash(git:*)`) while deny rules block the hidden command (e.g. `Bash(rm:*)`).
- inputThe agent is induced to execute a crafted command string containing a hidden shell construct, e.g. via prompt injection or malicious repository content.
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/rtk-ai/rtk/security/advisories/GHSA-7gxq-fvfc-g327mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.