PT-2026-53330 · Npm · Agentic-Flow
Publicado
2026-06-19
·
Atualizado
2026-06-19
CVSS v3.1
8.8
Alta
| Vetor | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Summary
agentic-flow versions <= 2.0.13 MCP server tools interpolated attacker-influenceable tool parameters (e.g. agent, task, name, language, agentdb arguments) directly into shell command strings passed to execSync(). A malicious value reaching any of the affected MCP tools could break out of the surrounding double-quoted argument and execute arbitrary OS commands with the privileges of the user running the MCP server.This was a partial-fix gap: prior commit
6a06854 (#158) fixed CWE-78 elsewhere in the project but missed the MCP server files entirely.Impact
Any MCP tool argument that the AI agent treats as data but the implementation interpolates into a shell command string becomes a command-injection vector. In MCP deployments where untrusted content (web pages, files, third-party tool output) is processed by the agent, this is reachable without direct attacker access to the host. The HTTP/SSE transports (
http-sse.ts, http-streaming-updated.ts) expose the same sinks without authentication or Origin/Host validation, which may raise the effective severity in any deployment that binds them to a reachable network interface.Affected components
src/mcp/standalone-stdio.ts—agentic flow agent,agentic flow create agent,agentic flow list all agents,agentic flow agent info,agentic flow check conflicts,agentic flow optimize model,agentic flow list agents,agent booster edit file,agent booster batch edit,agent booster parse markdown,agentdb stats,agentdb pattern store,agentdb pattern search,agentdb pattern statssrc/mcp/fastmcp/servers/claude-flow-sdk.tssrc/mcp/fastmcp/servers/stdio-full.tssrc/mcp/fastmcp/servers/http-streaming-updated.tssrc/mcp/fastmcp/servers/http-sse.tssrc/mcp/fastmcp/servers/poc-stdio.tssrc/mcp/fastmcp/tools/agent/{execute,list,parallel}.tssrc/mcp/fastmcp/tools/swarm/orchestrate.tssrc/mcp/fastmcp/tools/hooks/pretrain.ts(depth path only)
Proof of Concept
ts
// Pre-fix (standalone-stdio.ts, agentic flow agent)
let cmd = `npx --yes agentic-flow --agent "${agent}" --task "${task}"`;
const result = execSync(cmd, { encoding: 'utf-8', ... });Invoking the MCP tool with:
json
{
"agent": "coder",
"task": "x"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo ""
}produces, after interpolation:
npx --yes agentic-flow --agent "coder" --task "x"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo ""When
execSync hands that to /bin/sh -c, the shell parses three commands: the truncated npx, then touch /tmp/INJECTED, then id > /tmp/rce.txt; echo "". The marker file /tmp/INJECTED is created and the user's id output is written to /tmp/rce.txt.Patches
Fixed in
agentic-flow@2.0.14 — every affected call site rewritten to use execFileSync(file, argv, { shell: false }) so attacker-controlled argv elements are passed straight to execve(2) without shell parsing.Fix PR: ruvnet/agentic-flow#170 (merged at
0c2ec96)A regression test (
tests/security/cwe-78-mcp-execsync.test.ts) was added that statically scans every src/mcp/**/*.ts file and fails the build if any new execSync() call is reintroduced outside of a documented exemption, plus a behavioural smoke check that the canonical PoC payload remains inert when passed as an argv element to execFileSync.Workarounds
Upgrade to
agentic-flow >= 2.0.14. There is no in-product configuration that mitigates this without upgrading.Downstream pin
The
ruflo / claude-flow / @claude-flow/cli packages bumped from 3.12.3 → 3.12.4 to pull the patched agentic-flow:ruflo@3.12.4claude-flow@3.12.4@claude-flow/cli@3.12.4
End users running any of
npx ruflo@latest, npx claude-flow@latest, or npx @claude-flow/cli@latest are pinned to the fixed version.Credit
Reported by hackchang via a well-scoped red-team report package (
npm agentic-flow report package 20260618 163017.zip) that included a sink inventory, a minimized PoC payload, and a clear explanation of why this was a partial-fix gap rather than intended behaviour. The sink inventory directly drove the single-grep pass that closed every reachable call site; the PoC payload became the behavioural smoke test that proves the canonical attack stays inert as an argv element.Correção
OS Command Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Agentic-Flow