Agentic Flow
Monthly
OS command injection in Agentic-Flow (npm package ruvnet/agentic-flow) before 2.0.14 lets attacker-controlled MCP tool parameters - agent, task, name, language, and agentdb - break out of double-quoted shell arguments and run arbitrary OS commands as the MCP server user. The AI-orchestration platform's MCP server tools interpolated these values straight into strings passed to execSync(), so any untrusted content (web pages, files, third-party tool output) that the agent processes can reach the sink, and the HTTP/SSE transports expose the same sinks over the network without authentication. A working proof of concept is published in the vendor's GHSA advisory; there is no evidence of active in-the-wild exploitation (not in CISA KEV).
OS command injection in Agentic-Flow (npm package ruvnet/agentic-flow) before 2.0.14 lets attacker-controlled MCP tool parameters - agent, task, name, language, and agentdb - break out of double-quoted shell arguments and run arbitrary OS commands as the MCP server user. The AI-orchestration platform's MCP server tools interpolated these values straight into strings passed to execSync(), so any untrusted content (web pages, files, third-party tool output) that the agent processes can reach the sink, and the HTTP/SSE transports expose the same sinks over the network without authentication. A working proof of concept is published in the vendor's GHSA advisory; there is no evidence of active in-the-wild exploitation (not in CISA KEV).