A developer browsing the web with an AutoGen Studio agent running could watch their machine launch Calculator without touching the keyboard - that's the proof-of-concept for the AutoJack vulnerability chain fixed by Microsoft before it hit PyPI.
Microsoft's AutoGen Studio is the graphical component of the AutoGen framework, an open-source toolkit for building multi-agent AI systems that collaborate, browse the web, execute code, and hit APIs. The GitHub repo has over 59,000 stars and nearly 9,000 forks, making it a popular target for both developers and attackers.
Three Weaknesses, One Chain
AutoJack exploits three separate failures in how AutoGen Studio handles WebSocket connections. First, the MCP WebSocket trusts any connection from localhost, so a browsing agent on the same machine can be tricked into loading attacker-controlled JavaScript that appears to come from a trusted source.
Second, AutoGen Studio's authentication middleware explicitly excludes /api/mcp/* routes from checks, and the MCP WebSocket endpoint implements no authentication of its own. That leaves the endpoint wide open.
Third, the WebSocket accepts a base64-encoded server_params value from the URL and passes it directly to process-launching code. An attacker can specify arbitrary PowerShell, Bash commands, or executables - no sanitization, no validation.
Attack Flow and Impact
In the scenario Microsoft detailed, a malicious JavaScript executes on a page the developer's AI agent visits. That script opens a WebSocket connection to AutoGen Studio's local MCP endpoint. The payload tells AutoGen Studio to launch an attacker-chosen command with the privileges of the developer's account. Microsoft demonstrated by popping Windows Calculator.
Crucially, this was caught during development. "This issue was identified and remediated before any PyPI release, so the affected code never shipped in a published package," Microsoft states. The exposure was limited to developers who built AutoGen Studio from the main GitHub branch between the MCP plugin landing and commit b047730. The current PyPI package autogenstudio 0.4.2.2 is clean.
Mitigation Advice from the Maintainer
Microsoft recommends running AutoGen Studio "strictly as a developer prototype in an isolated environment" not exposed to the internet. They go further: "Run AutoGen Studio under a low-privilege account in a sandboxed user profile or container so that any future agent-driven RCE is contained to a dev profile, not your daily-driver account."
This advice applies to any agentic system that can browse or execute code. The lesson isn't just about one flawed endpoint - it's that every layer of an agent pipeline needs authentication, origin validation, and input sanitization before any code leaves the sandbox.
Source: Microsoft fixes AutoGen Studio flaw that enabled code execution
Domain: bleepingcomputer.com
Comments load interactively on the live page.