AutoJack Flaw Lets Malicious Web Pages Hijack AI Agents for Code Execution

Microsoft researchers have disclosed AutoJack, an exploit chain that weaponizes an AI browsing agent into a remote code execution vector. By luring a local agent to render an attacker-controlled web page, malicious JavaScript can reach a privileged local service and spawn arbitrary processes on the host machine. No credentials, login prompts, or additional user interaction are required once the page loads, making the attack trivially triggerable through a planted link, a URL field entry, or a prompt injection. The flaw resides in AutoGen Studio, the open-source prototyping interface for Microsoft Research's AutoGen multi-agent framework, specifically in its Model Context Protocol (MCP) WebSocket handler.

The vulnerability's packaging history is critical. A standard `pip install autogenstudio` pulls stable release 0.4.2.2, which contains no MCP route, supporting Microsoft's claim that the vulnerable surface never shipped in a stable PyPI release. However, the exposed handler did land on PyPI in two pre-release builds, 0.4.3.dev1 and 0.4.3.dev2, neither of which has been yanked. Since pip skips pre-releases unless the `--pre` flag is passed or the version is explicitly pinned, only developers who intentionally installed those builds are affected. The hardening commit (b047730, PR #7362) currently lives only in GitHub main, with no patched PyPI release available.

AutoJack chains three weaknesses in the MCP WebSocket surface. First, the socket trusted localhost connections, a safeguard designed to block malicious browser traffic, but any browsing agent running on the same machine inherits that localhost identity and bypasses the check. Second, the authentication middleware skipped MCP paths under the assumption that the handler would verify tokens independently, yet it never did, allowing unauthenticated connections regardless of configured auth mode. Third, the endpoint executed commands directly from request parameters with no allowlist on the executable, enabling a remote page rendered by a local agent to run attacker-chosen commands under the AutoGen Studio process account. The proof of concept demonstrated a "Web Content Summarizer" agent that, when fed an attacker URL, launched calc.exe on the developer's desktop.

Developers running AutoGen Studio should verify their installed build immediately and upgrade to the patched GitHub commit if affected. Anyone evaluating AI agent frameworks should audit localhost services and run a port scanner to identify exposed local sockets that an agent could reach. To assess whether your network or domain appears in malicious campaigns targeting AI tooling, a WHOIS lookup can help trace suspicious infrastructure hosting exploit pages. Microsoft reports no active exploitation in the wild, classifying this as research rather than an active threat campaign.