무슨 일이 있었나
rtk's permission splitter, which decides whether a shell command is allowed before its output is filtered into LLM context, fails to conservatively reject or split several Bash constructs that are command-execution boundaries. An allowed command prefix can be followed by subshells or nested execution to achieve arbitrary command execution.
왜 중요한가
rtk sits between the shell and the LLM context window — it is a security control for AI coding agents. Bypassing its permission splitter means attacker-controlled content (e.g. from a project's Makefile or shell scripts) can execute arbitrary commands in the context of the LLM's execution environment, completely subverting the tool's safety purpose.
공격 경로
A command beginning with an allowed prefix but containing shell constructs that Bash treats as execution boundaries (subshells, process substitution, command grouping) bypasses the permission splitter's conservative-split logic, executing attacker-controlled code under the guise of an approved command
영향받는 시스템
rtk (rtk-ai/rtk) < 0.42.2
완화 방안
Upgrade to rtk 0.42.2. Advisory: https://github.com/rtk-ai/rtk/security/advisories/GHSA-7gxq-fvfc-g327