A critical exploit chain dubbed AutoJack that allows a single malicious web page to hijack Microsoft\u2019s AutoGen Studio browsing agent and execute arbitrary code on the host machine without any user interaction beyond submitting a URL.<\/p>\n
AutoJack is a three-vulnerability exploit chain targeting AutoGen Studio, Microsoft Research\u2019s open-source prototyping UI for multi-agent AI systems. The technique weaponizes the agent\u2019s built-in web-browsing capabilities to cross the localhost trust boundary, turning the AI agent into an unwitting delivery vehicle for remote code execution (RCE).<\/p>\n
Researchers reported the findings to the Microsoft Security Response Center (MSRC), and the upstream AutoJack chains three independent weaknesses in AutoGen Studio\u2019s Model Context Protocol (MCP)<\/a> WebSocket surface:<\/p>\n The end-to-end flow is straightforward. A developer runs AutoGen Studio on An attacker plants a malicious page (or tricks the user into submitting an attacker-controlled URL). The headless browser navigates to the page; its JavaScript opens a WebSocket to Because the browsing agent runs locally, the origin check passes; because auth middleware skips In proof-of-concept testing, Microsoft\u2019s maintainers addressed<\/a> all three issues:<\/p>\n These changes are live on the To defend against AutoJack-style attacks broadly:<\/p>\n AutoJack highlights a concerning risk pattern that is developing across AI agent frameworks. This issue arises when an agent is able to browse untrusted content while also having the ability to communicate with privileged local services. <\/p>\n In this case, the local environment can no longer be considered a secure boundary. To effectively mitigate this risk, it is essential to implement consistent control-plane authentication, enforce strict action allowlisting, and ensure identity isolation, regardless of the framework being utilized.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post AutoJack \u2013 A Single Web Page Can Hijack Your AI Agent to Execute Malicious Code<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nmain<\/code> branch was hardened in commit b047730<\/code>. Crucially, the vulnerable MCP WebSocket surface was never included in any PyPI release, meaning developers who install AutoGen Studio via pip<\/code> are not exposed to this specific chain.<\/p>\nAutoJack Vulnerability Chain<\/strong><\/h2>\n
\n
http:\/\/127.0.0.1<\/code> or http:\/\/localhost<\/code>. While this blocks a human browser tab on evil.com<\/code>, it does not block JavaScript rendered by a headless browser owned by an AutoGen browsing agent \u2014 which inherits localhost identity, bypassing the check entirely.<\/li>\n\/api\/mcp\/*<\/code> paths, assuming the WebSocket handler would enforce its own checks. It never did. As a result, the MCP WebSocket accepted unauthenticated connections regardless of the auth mode configured for the rest of the application.<\/li>\nserver_params<\/code>:<\/strong> The WebSocket endpoint accepted a server_params<\/code> query parameter, base64-decoded it into a JSON blob, parsed it into StdioServerParams<\/code>, and passed command<\/code> + args<\/code> directly to stdio_client()<\/code>. With no executable allowlist in place, an attacker could supply calc.exe<\/code>, powershell.exe -enc \u2026<\/code>, or bash -c '...'<\/code> as the \u201cMCP server.\u201d<\/li>\n<\/ul>\nlocalhost:8081<\/code> alongside a browsing agent \u2014 such as a web summarizer built with MultimodalWebSurfer<\/code>.<\/p>\nws:\/\/localhost:8081\/api\/mcp\/ws\/<id>?server_params=<base64_payload><\/code>.<\/p>\n\/api\/mcp\/*<\/code>, no token is required. AutoGen Studio decodes the payload and spawns the attacker-specified command under the developer\u2019s account.<\/p>\ncalc.exe<\/code> launched on the developer\u2019s desktop within seconds of the agent rendering the malicious page \u2014 initiated by the AutoGen Studio process itself, not the browser.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh2_SKxub_Pirl0OgxzYZ5aXxeHmGu0jiLf7D35peoFaZ6WWdasY4xOLokIW5LF03m-O5Zj_TAigsHsLuTBNWEALsHuGlwP8W3ULxwgda3oUdR92n4VPtgQS5YVT6YKGg_HevQFrFhXmNrPGyDq7-yhLrnMFtyV130F1oR9JP7jQWfph7drG45Ju0Kq9X-h\/w578-h640\/Autojack1.webp?ssl=1\")
<\/figure>\n<\/div>\nFixes Applied<\/strong><\/h2>\n
\n
server_params<\/code> is no longer accepted via the URL; parameters are stored server-side and keyed by UUID.<\/li>\n\/api\/mcp<\/code> no longer bypasses middleware; all MCP routes now flow through standard authentication.<\/li>\n<\/ul>\nmain<\/code> branch as of commit b047730<\/code> (version 0.7.2<\/code>). The published PyPI package (autogenstudio 0.4.2.2<\/code>) was confirmed to contain no mcp.py<\/code> route file or StdioServerParams<\/code> references.<\/p>\n\n
main<\/code>, use a build at or after commit b047730<\/a>.<\/li>\n<\/ul>\n