Microsoft has addressed a vulnerability chain in AutoGen Studio, its open-source interface for prototyping AI agents, that could have enabled arbitrary code execution on a developer’s machine under specific conditions. The flaw, dubbed “AutoJack,” allowed a malicious webpage to manipulate a locally running AI agent into issuing system-level commands on the host operating system.
AutoGen Studio is the graphical front end for Microsoft’s AutoGen framework, which enables developers to build multi-agent AI systems capable of collaborating, browsing the web, calling APIs, executing code, and interacting with external tools. With more than 59,000 GitHub stars and nearly 9,000 forks, the project has seen widespread interest among AI developers. Microsoft emphasized, however, that the issue was identified and patched during development and never reached a public PyPI release, limiting its real-world exposure.
According to Microsoft, AutoJack emerged from a combination of design weaknesses in how AutoGen Studio handled local communication and authentication. The MCP WebSocket trusted connections originating from localhost, allowing attacker-controlled JavaScript running in a browser to appear as a trusted local source. At the same time, key MCP routes bypassed authentication checks entirely, and the WebSocket endpoint itself did not enforce access controls. To make matters worse, it accepted a base64-encoded parameter from the URL that could be passed directly into process-launching logic, enabling arbitrary execution of PowerShell, Bash commands, or other executables.
In a proof-of-concept scenario, Microsoft demonstrated how a developer visiting a malicious webpage could have their local AI agent tricked into opening a WebSocket connection to AutoGen Studio and executing attacker-supplied commands with the user’s privileges—even launching benign programs like Windows Calculator to illustrate the impact. While the vulnerable code was never shipped in official PyPI releases such as version 0.4.2.2, it did affect developers who built the project directly from GitHub during a narrow development window.
Microsoft advises that AutoGen Studio be treated strictly as a development prototype and run only in isolated, sandboxed environments. The company further warns against deploying it alongside agents capable of executing code or interacting with untrusted web content, recommending execution under low-privilege accounts or containerized setups to ensure that any future agent-driven exploitation is contained.
