A critical remote code execution vulnerability in claude-hovercraft allows unauthenticated attackers to gain full control over the service account through command injection.

The flaw exists in the executeClaudeCode method due to a lack of validation for user-supplied strings before they are passed to a system call. This allows an unauthenticated remote attacker to inject and execute arbitrary shell commands.

This vulnerability poses an extreme risk, as it allows for full Remote Code Execution (RCE) without any credentials. An attacker can compromise the host system, steal sensitive data, or use the server as a pivot point for lateral movement within the network. The CVSS score of 9.8 underscores the Critical nature of this security failure.

Immediate Action: Update claude-hovercraft to the latest version immediately to patch the insecure executeClaudeCode implementation.

Proactive Monitoring: Monitor system logs for unusual child processes spawned by the claude-hovercraft service and check for unauthorized outbound network connections.

Compensating Controls: Restrict the service account's permissions using the principle of least privilege and implement egress filtering to block malicious callbacks.

Public Exploit Available: No

Immediate remediation is mandatory. Because this vulnerability requires no authentication and leads to total system compromise, administrators should apply the patch within 24 hours of discovery to mitigate the risk of a catastrophic security breach.