Microsoft has patched a serious vulnerability chain in AutoGen Studio, its interface for prototyping AI agents, that could let attackers execute arbitrary commands on a developer’s machine just by getting them to visit a malicious webpage.
The flaw, dubbed AutoJack, combined three separate weaknesses in AutoGen Studio. The most critical was that the system’s WebSocket endpoint accepted base64-encoded commands from URLs and passed them directly to process-launching code without proper authentication. An attacker could craft a webpage that, when visited by a developer’s AI agent, would trick AutoGen Studio into running attacker-chosen PowerShell or Bash commands.
AutoGen is hugely popular, with over 59,000 stars on GitHub. Microsoft says the impact was limited because the vulnerability was caught during development and never shipped in a published PyPI package. Only developers building directly from GitHub during a specific window were affected.
Microsoft demonstrated the attack by showing it could launch Windows Calculator on the target machine. In a real-world scenario, the attacker could run any command with the developer’s privileges.
Microsoft recommends running AutoGen Studio in an isolated environment under a low-privilege account, and never running it with an agent that can browse untrusted content. The company also advises deploying it in a sandboxed container to contain any future agent-driven exploits.
