A critical exploit chain dubbed AutoJack that allows a single malicious web page to hijack Microsoft’s AutoGen Studio browsing agent and silently execute arbitrary code on the host machine, requiring no user interaction beyond submitting a URL.
AutoJack targets AutoGen Studio, Microsoft Research’s open-source prototyping UI for multi-agent AI systems. The technique weaponizes the agent’s built-in web-browsing capabilities to cross the localhost trust boundary, transforming the AI agent into an unwitting delivery vehicle for remote code execution (RCE).
The exploit chains three independent weaknesses in AutoGen Studio’s Model Context Protocol (MCP) WebSocket surface, each mapped to a distinct CWE identifier.
- CWE-1385 – Missing Origin Validation in WebSockets: The MCP WebSocket only accepts connections from
http://127.0.0.1orhttp://localhost. While this blocks a human browser tab onevil.com, it does not block JavaScript rendered by a headless browser owned by an AutoGen browsing agent which inherits localhost identity, bypassing the origin check entirely. - CWE-306 – Missing Authentication for Critical Function: AutoGen Studio’s authentication middleware explicitly skipped
/api/mcp/*paths, assuming the WebSocket handler would enforce its own checks. It never did, meaning the MCP WebSocket accepted unauthenticated connections regardless of the auth mode configured elsewhere in the application. - CWE-78 – OS Command Injection via
server_params: The WebSocket endpoint accepted aserver_paramsquery parameter, base64-decoded it into a JSON blob, and parsed it intoStdioServerParams, and passedcommand + argsdirectly tostdio_client()with no executable allowlist, an attacker can supplycalc.exe,powershell.exe -enc …, orbash -c '...'as the “MCP server.”
A developer runs AutoGen Studio on localhost:8081 alongside a browsing agent such as a web summarizer built with MultimodalWebSurfer.
An attacker plants a malicious page or tricks the user into submitting an attacker-controlled URL. The headless browser navigates to that page, where embedded JavaScript opens a WebSocket to ws://localhost:8081/api/mcp/ws/.
Because the agent runs locally, the origin check passes. Because auth middleware skips /api/mcp/*, no token is required.
AutoGen Studio then decodes the payload and spawns the attacker-specified command under the developer’s account. In proof-of-concept testing, calc.exe launched on the developer’s desktop within seconds of the agent rendering the malicious page.
Patches and Affected Versions
Researchers disclosed their findings to the Microsoft Security Response Center (MSRC), and the upstream main branch was hardened in commit b047730 (version 0.7.2).
Critically, the vulnerable MCP WebSocket surface was never included in any PyPI release, which developers who install AutoGen Studio via pip (autogenstudio 0.4.2.2) are not exposed to this specific chain.
Microsoft’s maintainers addressed all three issues by moving server_params to server-side UUID-keyed storage and removing /api/mcp from the auth middleware skip list.
Defenders and developers should take the following steps:
- Install AutoGen Studio only from PyPI (
pip install autogenstudio) the affected MCP route is absent from the published0.4.2.2package - Never run AutoGen Studio with a browsing agent on a machine also handling untrusted web content
- Allowlist executables that may be invoked as MCP servers
- Isolate agent identity from developer identity using containers, separate OS users, or VMs
- If building from main, use a build at or after commit b047730
AutoJack highlights a concerning risk pattern emerging across AI agent frameworks: when an agent can browse untrusted content while simultaneously communicating with privileged local services, the local environment can no longer be considered a secure boundary.
Consistent control-plane authentication, strict action allowlisting, and identity isolation are essential mitigations regardless of the framework in use.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
