A vulnerability chain dubbed AutoJack in Microsoft’s AutoGen Studio interface for prototyping AI agents could let attackers manipulate an agent into executing arbitrary commands on its host system simply by visiting a malicious webpage.
AutoGen Studio is the graphical component for AutoGen, Microsoft’s open-source framework for building multi-agent AI systems. The framework allows developers to create AI agents that can collaborate with one another, use tools, browse the web, execute code, interact with APIs, and connect to external systems.
The project is very popular, with more than 59,000 stars and nearly 9,000 forks on GitHub. Microsoft notes that AutoJack's impact was limited because the issue was addressed during development.
"This issue was identified and remediated before any PyPI release, so the affected code never shipped in a published package," Microsoft says.
"The exposure was limited to developers who built AutoGen Studio from the main GitHub branch during the window between the MCP plugin landing and the hardening commit.'
AutoJack details
Microsoft describes the AutoJack attack as being based on three separate weaknesses in AutoGen Studio:
- The MCP WebSocket trusts connections originating from localhost, allowing a browsing agent running on the same machine to be tricked into loading attacker-controlled JavaScript that appeared to come from a trusted local source
- AutoGen Studio's authentication middleware excludes /api/mcp/* routes from authentication checks, while the MCP WebSocket endpoint fails to implement its own authentication, leaving it accessible without credentials
- The MCP WebSocket accepts a base64-encoded server_params value from the URL and passes it to the process-launching code, allowing attackers to specify and execute arbitrary PowerShell, Bash commands, or executables.
Origin bypass via the AI agentSource: Microsoft
In a realistic attack scenario that Microsoft presented, a malicious JavaScript executes on a page visited by a developer’s AI agent, which opens a WebSocket connection to AutoGen Studio's local MCP endpoint.
The payload instructs AutoGen Studio to launch an attacker-chosen command with the privileges of the developer’s account. To demonstrate the effect, Microsoft demonstrated the launch of Windows Calculator.
AutoJack demo launching Calc.exeSource: Microsoft
It should be noted that users installing AutoGen Studio from the Python Package Index (PyPI) were never exposed to the affected code. The latest current package, autogenstudio 0.4.2.2, does not contain the AutoJack weaknesses.
However, developers building AutoGen directly from GitHub during a limited window before commit b047730 were impacted for a short period.
Microsoft recommends users who install AutoGen Studio to deploy it "strictly as a developer prototype in an isolated environment" that is not exposed to the internet.
Furthermore, the maintainer emphasizes that the project should not be run with an agent capable of browsing or executing arbitrary code on a machine with untrusted content.
"Run AutoGen Studio under a low-privilege account in a sandboxed user profile or container so that any future agent-driven RCE is contained to a dev profile, not your daily-driver account," advises Microsoft.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
English (US) ·