A security chain dubbed AutoJack exists in AutoGen Studio's MCP WebSocket, where a malicious local AI browsing agent can trigger arbitrary commands on the host without credentials or extra user interaction.

The exploit chain bypasses localhost-based checks, skips authentication on MCP paths, and executes commands directly from request parameters without an allowlist.

Microsoft’s Defender Security Research Team disclosed AutoJack as a remote code execution chain initiated by a malicious website.

A fixed version exists on GitHub main after commit b047730 (PR #7362); there is no patched PyPI release yet, so users should stay on 0.4.2.2 or pull the latest sources after that commit.

Mitigations emphasize isolating AutoGen Studio in development environments, binding to loopback with firewall controls, using authenticated reverse proxies, running with low-privilege accounts, and applying strict allowlists for dangerous actions; treat model-output-reachable tool parameters as attacker-controlled and separate agent identity from developer identity.

The vulnerability chain existed only in early GitHub builds and was fixed before official release, reducing risk in deployed versions.

Upgrading to GitHub main after the fix or avoiding running AutoGen Studio with untrusted content agents on the same machine until a release with the patch is available are recommended mitigations.

References include Microsoft’s security blog, PR and commit notes for hardening, and coverage from The Hacker News validating findings and guidance.

Context notes show localhost trust issues appear in other AI-agent frameworks; security practices include authenticating the control plane, using allowlists, and giving agents distinct non-user identities.

Microsoft coordinated fixes move server_params handling server-side via POST /api/mcp/ws/connect, tighten auth skip lists to route MCP traffic through standard authentication, and validate MCP parameters before use.

Exposure details: plain pip install for autogenstudio 0.4.2.2 is not affected; vulnerable pre-releases 0.4.3.dev1/dev2 existed, upgrading via PyPI pre-patch won’t help until the patch is released, so pull from source.

Two pre-release PyPI builds shipped with the vulnerable MCP WebSocket route; the stable 0.4.2.2 does not include this feature.