AutoJack: AI agent framework RCE via localhost MCP WebSocket
Microsoft researchers disclosed an exploit chain in AutoGen Studio allowing untrusted web content rendered by a browsing agent to spawn arbitrary processes on the host via unauthenticated Model Context Protocol WebSocket.
Attack Brief
TargetAutoGen Studio (AutoGen open-source prototyping UI)VectorMalicious webpage rendered by local browsing agent exploits unauthenticated MCP WebSocket and origin validation bypass to execute arbitrary commandsAttributionresearcher disclosure
Technical Details
MITRE ATT&CKT1190T1021.004T1059IoCsws://localhost:8081/api/mcp/ws/?server_params=AffectedAutoGen Studio development builds prior to commit b047730; PyPI releases unaffected as vulnerable MCP WebSocket surface never included in published packages
Impact
Confirmed DamageRemote code execution under developer account; no confirmed real-world exploitation reported
Mitigation
Patchescommit b047730 (upstream main branch hardening)WorkaroundsImplement origin validation for WebSocket connections; enforce authentication middleware on /api/mcp/* and /api/ws/* endpoints; sanitize and allowlist server_params command execution; isolate agent browsing capabilities from privileged local services; apply localhost trust boundary segmentation
Context
Similar AttacksPrior research identified RCE primitives in Microsoft Semantic Kernel; broader pattern: agent frameworks combining untrusted web browsing with local privileged service access create localhost attack surface