AutoGen Studio MCP Flaw Lets a Malicious Webpage Run Code on Host

When an AI agent browses the web, the security assumption most teams make is that the agent's local environment stays local. AutoJack, an exploit chain disclosed by Microsoft researchers and reported by The Hacker News, breaks that assumption cleanly: a single malicious webpage, loaded by an AutoGen Studio AI agent running on a developer's machine, can silently execute arbitrary code on the host without any credentials or user interaction.

The attack chains three weaknesses in AutoGen Studio's Model Context Protocol (MCP) WebSocket implementation. The MCP socket trusts localhost, which turns out to be a soft target: as the researchers put it, "a browsing agent running on the same box is localhost, so anything it loads inherits that localhost identity." Authentication middleware skipped MCP paths entirely, assuming some other layer would verify tokens; it never did. And the endpoint accepted shell commands directly from URL request parameters with no allowlist, meaning an attacker-controlled page can pass arbitrary instructions straight through. The proof-of-concept demo had a "Web Content Summarizer" agent execute calc.exe on the developer's desktop under the AutoGen Studio process account, a stand-in for anything an attacker would actually want to run.

The affected versions are the pre-release PyPI builds 0.4.3.dev1 and 0.4.3.dev2; the stable release 0.4.2.2 contains no MCP route and is not vulnerable. Microsoft patched the flaw in GitHub at commit b047730, moving command parameters to server-side session IDs and routing MCP traffic through standard authentication. What the reporting leaves open is the practical timeline: no updated PyPI build carrying the fix has yet been released, which means any developer who pulled the pre-release builds via pip remains exposed until one ships.

The caveat worth sitting with is the scope beyond AutoGen Studio itself. Microsoft notes that similar patterns are expected in other agent frameworks, because the localhost trust model is a design habit, not a one-project slip. If you are running any AI agent that browses untrusted content, the immediate mitigation is isolation: separate containers or VMs, low-privilege accounts, and no co-location of the agent and the host's credentials. Longer term, this disclosure is useful pressure on every team building MCP-based tooling to audit whether their authentication assumptions still hold when the caller is a browsing agent rather than a human.