GoKawiilA vulnerability chain dubbed AutoJack in Microsoft’s AutoGen Studio interface for prototyping AI agents could let attackers manipulate an agent into executing arbitrary commands on its host system simply by visiting a malicious webpage.
AutoGen Studio is the graphical component for AutoGen, Microsoft’s open-source framework for building multi-agent AI systems. The framework allows developers to create AI agents that can collaborate with one another, use tools, browse the web, execute code, interact with APIs, and connect to external systems.
The project is very popular, with more than 59,000 stars and nearly 9,000 forks on GitHub. Microsoft notes that AutoJack's impact was limited because the issue was addressed during development.
"This issue was identified and remediated before any PyPI release, so the affected code never shipped in a published package," Microsoft says.
"The exposure was limited to developers who built AutoGen Studio from the main GitHub branch during the window between the MCP plugin landing and the hardening commit.'
AutoJack details
Microsoft describes the AutoJack attack as being based on three separate weaknesses in AutoGen Studio:
The MCP WebSocket trusts connections originating from localhost, allowing a browsing agent running on the same machine to be tricked into loading attacker-controlled JavaScript that appeared to come from a trusted local source AutoGen Studio's authentication middleware excludes /api/mcp/* routes from authentication checks, while the MCP WebSocket endpoint fails to implement its own authentication, leaving it accessible without credentials The MCP WebSocket accepts a base64-encoded server_params value from the URL and passes it to the process-launching code, allowing attackers to specify and execute arbitrary PowerShell, Bash commands, or executables.
Origin bypass via the AI agent
Source: Microsoft
... continue reading