AutoJack Chains MCP WebSocket Bypass in AutoGen 0.4.3.dev Builds for Agent-Driven RCE

The chain exploits three design decisions in the MCP handler: localhost-only checks that treat agent-fetched content as trusted, skipped authentication middleware on MCP routes, and direct command execution from request parameters without allowlists. Microsoft inspected the stable 0.4.2.2 PyPI build, which lacks the route entirely, yet both dev builds shipped the vulnerable code and remain available. GitHub main received hardening at commit b047730 that stores parameters server-side behind one-time session IDs and enforces normal auth paths.

No public CVE or independent exploitation reports exist, but the pattern matches prior agent-framework exposures where prototyping interfaces assume isolated execution. Procurement and job postings for AutoGen-based orchestration tools continue to emphasize rapid integration with browsers and code interpreters, increasing the surface. The absence of a patched PyPI release leaves any pinned dev user exposed until a new wheel is cut.

Operational impact centers on shared localhost environments typical in developer workstations running multiple agents. Isolation via containers or distinct privilege accounts breaks the trust assumption, yet current AutoGen documentation does not mandate such separation. Similar MCP-style endpoints in competing frameworks warrant targeted review of their auth and origin checks before production deployment.