A chain of vulnerabilities called AutoJack in Microsoft’s AutoGen Studio interface for prototyping AI agents could allow attackers to trick the agent into executing arbitrary commands on its host system by visiting a malicious web page.
AutoGen Studio is the graphical component of AutoGen, Microsoft’s open source framework for building multi-agent AI systems. The framework allows developers to create AI agents that can interact with each other, use tools, browse the web, execute code, interact with APIs, and connect to external systems.
The project is very popular, with over 59,000 stars and nearly 9,000 forks on GitHub. Microsoft notes that the impact of AutoJack was limited because the issue was addressed during development.
“This issue was identified and fixed prior to the release of PyPI, so the affected code was never shipped in a published package,” Microsoft said.
“Exposure was limited to developers who built AutoGen Studio from the main GitHub branch during the window between the arrival of the MCP plugin and the hard commit.’
AutoJack details
Microsoft describes the AutoJack attack as based on three different vulnerabilities in AutoGen Studio:
- MCP WebSocket trusts a connection from a local host, allowing a browsing agent running on the same machine to be tricked into loading attacker-controlled JavaScript that appears to come from a trusted local source.
- AutoGen Studio’s authentication middleware excludes /api/mcp/* routes from authentication testing, while the MCP WebSocket endpoint fails to implement its own authentication, leaving it accessible without credentials.
- The MCP WebSocket accepts a base64-encoded server_params value from a URL and passes it to process execution code, allowing attackers to specify and execute PowerShell, Bash commands, or executables.
Source: Microsoft
In a realistic attack scenario presented by Microsoft, malicious JavaScript executes on a page visited by the developer’s AI agent, which opens a WebSocket connection to AutoGen Studio’s MCP endpoint.
The payload instructs AutoGen Studio to run a command chosen by the attacker with developer account privileges. To show the result, Microsoft showed the introduction of Windows Calculator.
Source: Microsoft
It should be noted that users who install AutoGen Studio from the Python Package Index (PyPI) are never exposed to the affected code. The current latest package, autogenstudio 0.4.2.2, does not contain the AutoJack vulnerability.
However, developers who built AutoGen directly from GitHub during the limited window before the b047730 commit were affected for a short time.
Microsoft recommends that users who install AutoGen Studio use it as a “developer instance in an isolated environment” that is not exposed to the Internet.
In addition, the maintainer insists that the project should not be used with an agent that can browse or execute malicious code on a machine with untrusted content.
“Run AutoGen Studio under a low-privilege account in a sandboxed user profile or container so that any future RCE run by the agent is contained in the dev profile, not your daily driver account,” advises Microsoft.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
