



















A critical exploit chain dubbed AutoJack that allows a single malicious web page to hijack Microsoft’s AutoGen Studio browsing agent and execute arbitrary code on the host machine without any user interaction beyond submitting a URL.
AutoJack is a three-vulnerability exploit chain targeting AutoGen Studio, Microsoft Research’s open-source prototyping UI for multi-agent AI systems. The technique weaponizes the agent’s built-in web-browsing capabilities to cross the localhost trust boundary, turning the AI agent into an unwitting delivery vehicle for remote code execution (RCE).
Researchers reported the findings to the Microsoft Security Response Center (MSRC), and the upstream main branch was hardened in commit b047730. Crucially, the vulnerable MCP WebSocket surface was never included in any PyPI release, meaning developers who install AutoGen Studio via pip are not exposed to this specific chain.
AutoJack chains three independent weaknesses in AutoGen Studio’s Model Context Protocol (MCP) WebSocket surface:
http://127.0.0.1 or http://localhost. While this blocks a human browser tab on evil.com, it does not block JavaScript rendered by a headless browser owned by an AutoGen browsing agent — which inherits localhost identity, bypassing the check entirely./api/mcp/* paths, assuming the WebSocket handler would enforce its own checks. It never did. As a result, the MCP WebSocket accepted unauthenticated connections regardless of the auth mode configured for the rest of the application.server_params: The WebSocket endpoint accepted a server_params query parameter, base64-decoded it into a JSON blob, parsed it into StdioServerParams, and passed command + args directly to stdio_client(). With no executable allowlist in place, an attacker could supply calc.exe, powershell.exe -enc …, or bash -c '...' as the “MCP server.”The end-to-end flow is straightforward. A developer runs AutoGen Studio on localhost:8081 alongside a browsing agent — such as a web summarizer built with MultimodalWebSurfer.
An attacker plants a malicious page (or tricks the user into submitting an attacker-controlled URL). The headless browser navigates to the page; its JavaScript opens a WebSocket to ws://localhost:8081/api/mcp/ws/<id>?server_params=<base64_payload>.
Because the browsing agent runs locally, the origin check passes; because auth middleware skips /api/mcp/*, no token is required. AutoGen Studio decodes the payload and spawns the attacker-specified command under the developer’s account.
In proof-of-concept testing, calc.exe launched on the developer’s desktop within seconds of the agent rendering the malicious page — initiated by the AutoGen Studio process itself, not the browser.

Microsoft’s maintainers addressed all three issues:
server_params is no longer accepted via the URL; parameters are stored server-side and keyed by UUID./api/mcp no longer bypasses middleware; all MCP routes now flow through standard authentication.These changes are live on the main branch as of commit b047730 (version 0.7.2). The published PyPI package (autogenstudio 0.4.2.2) was confirmed to contain no mcp.py route file or StdioServerParams references.
To defend against AutoJack-style attacks broadly:
main, use a build at or after commit b047730.AutoJack highlights a concerning risk pattern that is developing across AI agent frameworks. This issue arises when an agent is able to browse untrusted content while also having the ability to communicate with privileged local services.
In this case, the local environment can no longer be considered a secure boundary. To effectively mitigate this risk, it is essential to implement consistent control-plane authentication, enforce strict action allowlisting, and ensure identity isolation, regardless of the framework being utilized.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。