Microsoft researchers said a flaw in AutoGen Studio could let an attacker use a single web page to trigger remote code execution on the machine running an AI browsing agent, with the issue affecting pre-release PyPI builds 0.4.3.dev1 and 0.4.3.dev2 and no exploitation reported in the wild.
KEY FACTS
- Target The flaw was found in AutoGen Studio, the open-source interface for Microsoft Research’s AutoGen framework.
- Affected builds A plain pip install pulls stable version 0.4.2.2, which does not include the MCP route, but two pre-release builds did.
- Attack path The chain lets a local browsing agent open an attacker page that can reach a privileged local service and run a command.
- Fix The hardened code is on GitHub main at commit b047730, but it has not reached PyPI yet.
A technical analysis from Microsoft said the exploit chain, named AutoJack, relies on a malicious page loaded by an AI browsing agent. Once the page is opened, its JavaScript can reach a local MCP WebSocket service and start a process on the host.
The report said the service trusted localhost, skipped authentication on MCP paths, and accepted a command directly from a request parameter. Microsoft said the proof of concept used a Web Content Summarizer agent and could launch calc.exe on the developer’s desktop.
The issue does not affect users who installed the stable PyPI release, according to the report, because that build lacks the MCP route. The vulnerable handler was present in pre-release builds 0.4.3.dev1 and 0.4.3.dev2, and neither has been yanked.
The disclosure said the main-branch fix stores parameters server-side behind a one-time session ID, rejects unknown IDs, and sends MCP routes through the normal authentication path. Until a release is published, Microsoft advised separating AutoGen Studio from browsing or code-execution agents and running it with limited privileges.
WHY IT MATTERS
The case shows how a localhost check can fail when an AI agent and a local service run on the same machine. It also highlights the risk of giving agent frameworks process-execution power without strong authentication and allowlists.