AutoJack Exploit Chain Achieves RCE via AI Agent Browsing Local MCP Socket

Overview

Microsoft’s Defender Security Research Team has disclosed AutoJack, a three-vulnerability exploit chain in AutoGen Studio — the open-source prototyping UI for Microsoft’s AutoGen agent framework. When an AI browsing agent visits a malicious web page, the chain allows that page to cross the localhost trust boundary, reach an exposed Model Context Protocol (MCP) WebSocket server, and spawn arbitrary processes on the developer’s host machine — a full remote code execution (RCE) primitive triggered by a single page load.

The finding was reported to the Microsoft Security Response Center (MSRC). Mitigations were merged into the upstream main branch in commit b047730. Critically, the vulnerable MCP WebSocket surface was never included in a PyPI release, limiting real-world exposure — but the architectural lesson is widely applicable.

Technical Analysis

The AutoJack chain relies on three compounding weaknesses:

Issue 1 — Origin allowlist defeated by the agent itself. AutoGen Studio attempted to restrict WebSocket connections to known origins, but a browsing agent navigating to an attacker-controlled page operates within a browser context that can satisfy that allowlist, effectively letting the untrusted page inherit the agent’s trusted origin.

Issue 2 — Authentication middleware excluded MCP endpoints. The server’s auth middleware correctly protected most routes but was configured to opt the MCP WebSocket path out of authentication checks, leaving it open to any connection that passed the origin check.

Issue 3 — server_params derived directly from URL input. The MCP WebSocket handler accepted server_params — including executable paths and arguments — directly from URL query parameters without sanitisation. An attacker-controlled page could therefore craft a WebSocket URL that passed arbitrary command-line arguments, achieving process execution on the host.

Combined attack flow:

1. Attacker hosts a page with a crafted WebSocket URL targeting ws://localhost:<port>/mcp?server_params=<payload>.
2. Browsing agent navigates to the page; the page’s JavaScript initiates the WebSocket connection, satisfying the origin allowlist.
3. Unauthenticated MCP handler processes the request and spawns the attacker-specified process on the host.

Framework Mapping

Impact Assessment

The immediate blast radius is limited: only AutoGen Studio instances built from source (not PyPI) with the MCP WebSocket surface active are directly vulnerable. However, the architectural pattern — agent with browsing capability co-located with privileged local control plane — is common across the developer tooling ecosystem. Similar chains are plausible in any framework that does not enforce strict authentication and input validation on loopback services accessible to an agent’s browsing context.

Mitigation & Recommendations

• Confirm installation source: PyPI installs of AutoGen Studio are not affected. If running from source, pull the patched main branch (post-commit b047730).
• Authenticate all local control planes: MCP endpoints and similar local service buses must require authentication regardless of origin; loopback is not a security boundary.
• Sanitise all tool inputs: Never derive shell parameters or executable paths from URL inputs or LLM-controlled fields without strict allowlisting.
• Network-isolate browsing agents: Run browsing-capable agents in sandboxed environments (containers, VMs) that cannot reach developer localhost services.
• Apply least-privilege to agent tool access: Agents should only hold the tool permissions required for their task; browsing agents should not have access to process-spawning interfaces.

References

• AutoJack: How a single page can RCE the host running your AI agent — Microsoft Security Blog