Blab AI
Microsoft AutoGen Studio Vulnerability Enables Remote Code Execution via Malicious Webpage
Microsoft’s open‑source AutoGen Studio, a low‑code interface for building multi‑agent AI applications, has been found to contain a serious security flaw that allows an attacker to run arbitrary code on a developer’s machine. The vulnerability exists only in the development builds 0.4.3.dev1 and 0.4.3.dev2, which were released for testing and experimentation.
The flaw is part of a chain of three independent weaknesses in AutoGen Studio’s Model Context Protocol (MCP) WebSocket interface. The MCP WebSocket is a communication channel that agents use to exchange messages with the host application. Researchers discovered that the interface was exposed in the development builds but omitted from the stable 0.4.2.2 release that is distributed through PyPI.
The first weakness is insufficient origin validation. The WebSocket endpoint was intended to accept connections only from localhost origins, but the code that checks the origin header does not consider JavaScript running inside the headless browser used by the agent. The second weakness is an authentication bypass: the /api/mcp/* routes are excluded from the normal authentication checks, allowing an unauthenticated client to open a WebSocket connection. The third weakness lies in the handling of the server_params argument. The parameter is parsed from the client’s request, decoded into a set of execution arguments, and passed directly to the process‑spawning function without any filtering or validation.
When a developer runs AutoGen Studio on localhost:8081 with a browsing agent enabled, an attacker can supply a URL that points to a malicious web page. The page’s embedded JavaScript opens a WebSocket connection to the local MCP endpoint and sends a server_params payload that instructs the host application to launch an arbitrary executable with the privileges of the logged‑in user. Because the attack chain relies only on the agent’s browsing capability and the three weaknesses above, it does not require stolen credentials, repeated user actions, or any form of authentication bypass beyond the exposed WebSocket.
The vulnerability is a concrete example of the growing security challenges that arise when AI agents are integrated into browsers, developer tools, and operating systems. As agents gain the ability to browse the web, interact with local services, and execute tools, the boundary between untrusted internet content and privileged local resources becomes harder to enforce.
Microsoft was notified through its Security Response Center after researchers performed a responsible disclosure. The company confirmed that the MCP WebSocket surface was not present in the stable 0.4.2.2 release and that the development builds are the only versions affected. No public patch has been released yet, but users of the development builds are advised to upgrade to the stable release or to remove the MCP WebSocket feature from their environment.
The exploit chain has been mapped to several Common Weakness Enumeration (CWE) identifiers, reflecting the combination of origin validation, authentication bypass, and insecure command execution. The researchers who identified the flaw have published a detailed technical report, but no public statements from Microsoft or the AutoGen team have been issued beyond the initial confirmation.
For developers who rely on AutoGen Studio for prototyping multi‑agent workflows, the incident underscores the importance of using only officially released, stable versions of open‑source AI tooling. It also highlights the need for rigorous security reviews of agent interfaces that interact with local services, especially when those interfaces are exposed through WebSocket or similar protocols.
In summary, the AutoGen Studio vulnerability demonstrates how a malicious webpage can trigger a remote code execution path on a developer’s machine through a combination of WebSocket exposure, authentication gaps, and unfiltered command execution. The flaw is limited to specific development builds, does not require credential theft, and can be mitigated by upgrading to the stable release or disabling the MCP WebSocket feature.
The flaw is part of a chain of three independent weaknesses in AutoGen Studio’s Model Context Protocol (MCP) WebSocket interface. The MCP WebSocket is a communication channel that agents use to exchange messages with the host application. Researchers discovered that the interface was exposed in the development builds but omitted from the stable 0.4.2.2 release that is distributed through PyPI.
The first weakness is insufficient origin validation. The WebSocket endpoint was intended to accept connections only from localhost origins, but the code that checks the origin header does not consider JavaScript running inside the headless browser used by the agent. The second weakness is an authentication bypass: the /api/mcp/* routes are excluded from the normal authentication checks, allowing an unauthenticated client to open a WebSocket connection. The third weakness lies in the handling of the server_params argument. The parameter is parsed from the client’s request, decoded into a set of execution arguments, and passed directly to the process‑spawning function without any filtering or validation.
When a developer runs AutoGen Studio on localhost:8081 with a browsing agent enabled, an attacker can supply a URL that points to a malicious web page. The page’s embedded JavaScript opens a WebSocket connection to the local MCP endpoint and sends a server_params payload that instructs the host application to launch an arbitrary executable with the privileges of the logged‑in user. Because the attack chain relies only on the agent’s browsing capability and the three weaknesses above, it does not require stolen credentials, repeated user actions, or any form of authentication bypass beyond the exposed WebSocket.
The vulnerability is a concrete example of the growing security challenges that arise when AI agents are integrated into browsers, developer tools, and operating systems. As agents gain the ability to browse the web, interact with local services, and execute tools, the boundary between untrusted internet content and privileged local resources becomes harder to enforce.
Microsoft was notified through its Security Response Center after researchers performed a responsible disclosure. The company confirmed that the MCP WebSocket surface was not present in the stable 0.4.2.2 release and that the development builds are the only versions affected. No public patch has been released yet, but users of the development builds are advised to upgrade to the stable release or to remove the MCP WebSocket feature from their environment.
The exploit chain has been mapped to several Common Weakness Enumeration (CWE) identifiers, reflecting the combination of origin validation, authentication bypass, and insecure command execution. The researchers who identified the flaw have published a detailed technical report, but no public statements from Microsoft or the AutoGen team have been issued beyond the initial confirmation.
For developers who rely on AutoGen Studio for prototyping multi‑agent workflows, the incident underscores the importance of using only officially released, stable versions of open‑source AI tooling. It also highlights the need for rigorous security reviews of agent interfaces that interact with local services, especially when those interfaces are exposed through WebSocket or similar protocols.
In summary, the AutoGen Studio vulnerability demonstrates how a malicious webpage can trigger a remote code execution path on a developer’s machine through a combination of WebSocket exposure, authentication gaps, and unfiltered command execution. The flaw is limited to specific development builds, does not require credential theft, and can be mitigated by upgrading to the stable release or disabling the MCP WebSocket feature.
