Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Untrusted content must reach the tool (UI:R) but no auth is required on the exposed sinks (PR:N); trivial injection (AC:L) yields full OS control (C/I/A:H) as the server user.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Agentic-Flow is an AI agent orchestration platform. Prior to 2.0.14, agentic-flow MCP server tools in src/mcp/standalone-stdio.ts, src/mcp/fastmcp/servers/claude-flow-sdk.ts, src/mcp/fastmcp/servers/stdio-full.ts, src/mcp/fastmcp/servers/http-streaming-updated.ts, src/mcp/fastmcp/servers/http-sse.ts, src/mcp/fastmcp/servers/poc-stdio.ts, src/mcp/fastmcp/tools/agent/{execute,list,parallel}.ts, src/mcp/fastmcp/tools/swarm/orchestrate.ts, and src/mcp/fastmcp/tools/hooks/pretrain.ts interpolated attacker-influenceable tool parameters such as agent, task, name, language, and agentdb directly into shell command strings passed to execSync(), allowing arbitrary OS command execution with the privileges of the MCP server user. This issue is fixed in version 2.0.14.
AnalysisAI
OS command injection in Agentic-Flow (npm package ruvnet/agentic-flow) before 2.0.14 lets attacker-controlled MCP tool parameters - agent, task, name, language, and agentdb - break out of double-quoted shell arguments and run arbitrary OS commands as the MCP server user. The AI-orchestration platform's MCP server tools interpolated these values straight into strings passed to execSync(), so any untrusted content (web pages, files, third-party tool output) that the agent processes can reach the sink, and the HTTP/SSE transports expose the same sinks over the network without authentication. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that one of the vulnerable MCP tools (in standalone-stdio.ts, the fastmcp servers, or the agent/swarm/hooks tool modules) be invoked with an attacker-influenced value for a parameter that reaches the execSync sink - specifically agent, task, name, language, or agentdb - carrying shell metacharacters that escape the surrounding double quotes. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The reported CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, 8.8) reflects network-reachable, low-complexity exploitation yielding full confidentiality, integrity, and availability impact, with user interaction (UI:R) capturing that the agent must process attacker-influenced data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker plants a malicious instruction inside content the agent will read - a web page, file, or third-party tool response - containing a crafted task value such as `x"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo "`. When the agent invokes an affected MCP tool with that value, interpolation into the execSync string breaks out of the quotes and the injected commands run with the MCP server user's privileges (POC published in the GHSA advisory). … |
| Remediation | Vendor-released patch: upgrade agentic-flow to 2.0.14 or later (npm install agentic-flow@^2.0.14), which replaces execSync template-string interpolation with execFileSync argv arrays and shell:false; downstream ruflo users should move to 3.12.4, which requires agentic-flow >=2.0.14. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Immediately conduct a 24-hour inventory of all systems running Agentic-Flow versions before 2.0.14, document network exposure, and implement network segmentation to restrict MCP server HTTP/SSE interface access to trusted networks only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45256