AutoGen Studio hardens AutoJack WebSocket RCE chain

AutoJack is not a mass-exposure patch story. Microsoft says the vulnerable Model Context Protocol WebSocket surface was found during development, hardened in AutoGen Studio’s upstream main branch, and never included in a Python Package Index release. That matters. It also keeps this from becoming a vendor-advisory panic drill.

The useful part is the failure mode. AutoGen Studio is a prototyping UI for AutoGen, Microsoft Research’s multi-agent framework. The AutoJack chain combined three weaknesses: a localhost origin allowlist that a local browsing agent could satisfy, authentication middleware that skipped MCP paths, and URL-supplied server_params that could become command-line execution. Put differently, the agent did not merely read a hostile page. It became the path from hostile page to privileged local control plane.

That is the AI security problem compliance teams keep trying to force into older paperwork. The model is not the only boundary, and prompt injection is not only a content-integrity issue. NIST’s Center for AI Standards and Innovation described agent hijacking as a separation failure between trusted internal instructions and untrusted external data, which is exactly the shape here: untrusted web content influenced an agent with access to more powerful local capabilities (https://www.nist.gov/news-events/news/2025/01/technical-blog-strengthening-ai-agent-hijacking-evaluations).

For practitioners, the Monday work is boring and important. Inventory agent prototypes that browse external content, list the local services and MCP servers they can reach, require authentication and authorization on those control planes, and isolate them from developer laptops or core servers where practical. If the evidence package for an AI deployment only says the model was evaluated, it is missing the part that actually executed.