PT-2026-53330 · Npm · Agentic-Flow

Publicado

2026-06-19

·

Atualizado

2026-06-19

CVSS v3.1

8.8

Alta

VetorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

agentic-flow versions <= 2.0.13 MCP server tools interpolated attacker-influenceable tool parameters (e.g. agent, task, name, language, agentdb arguments) directly into shell command strings passed to execSync(). A malicious value reaching any of the affected MCP tools could break out of the surrounding double-quoted argument and execute arbitrary OS commands with the privileges of the user running the MCP server.
This was a partial-fix gap: prior commit 6a06854 (#158) fixed CWE-78 elsewhere in the project but missed the MCP server files entirely.

Impact

Any MCP tool argument that the AI agent treats as data but the implementation interpolates into a shell command string becomes a command-injection vector. In MCP deployments where untrusted content (web pages, files, third-party tool output) is processed by the agent, this is reachable without direct attacker access to the host. The HTTP/SSE transports (http-sse.ts, http-streaming-updated.ts) expose the same sinks without authentication or Origin/Host validation, which may raise the effective severity in any deployment that binds them to a reachable network interface.

Affected components

  • src/mcp/standalone-stdio.tsagentic flow agent, agentic flow create agent, agentic flow list all agents, agentic flow agent info, agentic flow check conflicts, agentic flow optimize model, agentic flow list agents, agent booster edit file, agent booster batch edit, agent booster parse markdown, agentdb stats, agentdb pattern store, agentdb pattern search, agentdb pattern stats
  • src/mcp/fastmcp/servers/claude-flow-sdk.ts
  • src/mcp/fastmcp/servers/stdio-full.ts
  • src/mcp/fastmcp/servers/http-streaming-updated.ts
  • src/mcp/fastmcp/servers/http-sse.ts
  • src/mcp/fastmcp/servers/poc-stdio.ts
  • src/mcp/fastmcp/tools/agent/{execute,list,parallel}.ts
  • src/mcp/fastmcp/tools/swarm/orchestrate.ts
  • src/mcp/fastmcp/tools/hooks/pretrain.ts (depth path only)

Proof of Concept

ts
// Pre-fix (standalone-stdio.ts, agentic flow agent)
let cmd = `npx --yes agentic-flow --agent "${agent}" --task "${task}"`;
const result = execSync(cmd, { encoding: 'utf-8', ... });
Invoking the MCP tool with:
json
{
 "agent": "coder",
 "task": "x"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo ""
}
produces, after interpolation:
npx --yes agentic-flow --agent "coder" --task "x"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo ""
When execSync hands that to /bin/sh -c, the shell parses three commands: the truncated npx, then touch /tmp/INJECTED, then id > /tmp/rce.txt; echo "". The marker file /tmp/INJECTED is created and the user's id output is written to /tmp/rce.txt.

Patches

Fixed in agentic-flow@2.0.14 — every affected call site rewritten to use execFileSync(file, argv, { shell: false }) so attacker-controlled argv elements are passed straight to execve(2) without shell parsing.
Fix PR: ruvnet/agentic-flow#170 (merged at 0c2ec96)
A regression test (tests/security/cwe-78-mcp-execsync.test.ts) was added that statically scans every src/mcp/**/*.ts file and fails the build if any new execSync() call is reintroduced outside of a documented exemption, plus a behavioural smoke check that the canonical PoC payload remains inert when passed as an argv element to execFileSync.

Workarounds

Upgrade to agentic-flow >= 2.0.14. There is no in-product configuration that mitigates this without upgrading.

Downstream pin

The ruflo / claude-flow / @claude-flow/cli packages bumped from 3.12.33.12.4 to pull the patched agentic-flow:
  • ruflo@3.12.4
  • claude-flow@3.12.4
  • @claude-flow/cli@3.12.4
End users running any of npx ruflo@latest, npx claude-flow@latest, or npx @claude-flow/cli@latest are pinned to the fixed version.

Credit

Reported by hackchang via a well-scoped red-team report package (npm agentic-flow report package 20260618 163017.zip) that included a sink inventory, a minimized PoC payload, and a clear explanation of why this was a partial-fix gap rather than intended behaviour. The sink inventory directly drove the single-grep pass that closed every reachable call site; the PoC payload became the behavioural smoke test that proves the canonical attack stays inert as an argv element.

Correção

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

GHSA-VCV2-R9JH-99M5

Produtos afetados

Agentic-Flow