A significant vulnerability chain, now known as **AutoJack**, was identified within **Microsoft**'s **AutoGen Studio** interface. This critical flaw could have enabled attackers to manipulate an AI agent, causing it to execute arbitrary commands on its host system through a visit to a specially crafted malicious webpage. **AutoGen Studio** serves as the graphical component for **AutoGen**, **Microsoft**'s popular open-source framework designed for building multi-agent AI systems. This framework empowers developers to create AI agents capable of collaboration, tool utilization, web browsing, code execution, API interaction, and external system connectivity. Despite its popularity, boasting over 59,000 stars and nearly 9,000 forks on GitHub, **Microsoft** emphasizes that the impact of **AutoJack** was limited, as the issue was addressed during the development phase. "This issue was identified and remediated before any PyPI release, so the affected code never shipped in a published package," **Microsoft** stated. "The exposure was limited to developers who built **AutoGen Studio** from the main GitHub branch during the window between the MCP plugin landing and the hardening commit." ### AutoJack Details **Microsoft** detailed the **AutoJack** attack as a combination of three distinct weaknesses within **AutoGen Studio**: 1. The **MCP WebSocket** trusted connections originating from `localhost`. This allowed a browsing agent on the same machine to be tricked into loading attacker-controlled JavaScript, which appeared to originate from a trusted local source. 2. **AutoGen Studio**'s authentication middleware excluded `/api/mcp/*` routes from authentication checks. Concurrently, the **MCP WebSocket** endpoint lacked its own authentication, rendering it accessible without credentials. 3. The **MCP WebSocket** accepted a base64-encoded `server_params` value from the URL. This value was then passed to the process-launching code, enabling attackers to specify and execute arbitrary PowerShell, Bash commands, or other executables.  In a realistic attack scenario presented by **Microsoft**, malicious JavaScript would execute on a page visited by a developer’s AI agent. This JavaScript would then open a WebSocket connection to **AutoGen Studio**'s local **MCP** endpoint. The payload would instruct **AutoGen Studio** to launch an attacker-chosen command with the privileges of the developer’s account. As a demonstration, **Microsoft** successfully launched the Windows Calculator.  It is crucial to note that users installing **AutoGen Studio** from the **Python Package Index (PyPI)** were never exposed to the vulnerable code. The current package, `autogenstudio 0.4.2.2`, does not contain the **AutoJack** weaknesses. However, developers who built **AutoGen** directly from GitHub during a specific, limited window, prior to [commit `b047730`](https://github.com/microsoft/autogen/commit/b0477309d2a0baf489aa256646e41e513ab3bfe8), were temporarily impacted. **Microsoft** advises users installing **AutoGen Studio** to deploy it "strictly as a developer prototype in an isolated environment" that is not exposed to the internet. Furthermore, the maintainers emphasize that the project should not be run with an agent capable of browsing or executing arbitrary code on a machine with untrusted content. "Run **AutoGen Studio** under a low-privilege account in a sandboxed user profile or container so that any future agent-driven RCE is contained to a dev profile, not your daily-driver account," **Microsoft** recommends.