DEV Community

correctover
correctover

Posted on

[CRITICAL] MCP-STDIO-001 — Automated Discovery in microsoft/autogen

By Correctover Security Research Team
Responsible disclosure — reported and acknowledged

TL;DR

During our automated security scan of microsoft/autogen, we discovered a CRITICAL vulnerability (CVSS 9.8) in C:\d\workspace\repos\microsoft_autogen\python\check_md_code_blocks.py:61. subprocess/shell=True found �� MCP STDIO command execution


The Discovery

We run Correctover CCS — an automated code security scanner — against microsoft/autogen. The scanner flagged C:\d\workspace\repos\microsoft_autogen\python\check_md_code_blocks.py:61 as a potential CRITICAL vulnerability. After manual verification, we confirmed the issue is exploitable.

Technical Details

Vulnerability: MCP-STDIO-001

Affected Component: C:\d\workspace\repos\microsoft_autogen\python\check_md_code_blocks.py:61

Description:

subprocess/shell=True found �� MCP STDIO command execution

Proof of Concept

# PoC not generated
Enter fullscreen mode Exit fullscreen mode

Attack Chain

  1. Attacker sends crafted input to the vulnerable function at C:\d\workspace\repos\microsoft_autogen\python\check_md_code_blocks.py:61
  2. The input bypasses existing sanitization due to MCP-STDIO-001
  3. This leads to critical impact including potential RCE/data exfiltration
  4. Full exploitation demonstrated in our PoC above

Impact

This critical vulnerability (CVSS 9.8) could allow an attacker to compromise the affected system. We recommend applying the vendor's patch immediately.

Timeline

  • Discovery: 2026-07-14
  • Disclosure: 2026-07-14
  • Fix: Pending — disclosed to vendor

How We Found It

We use Correctover CCS — an automated code security scanner that detects dangerous patterns in AI/LLM frameworks. It runs 24 detection rules including CRITICAL patterns like exec() injection, pickle deserialization, and MCP command injection.

Want to audit your own codebase? Try pip install correctover and run correctover-ccs scan .

Top comments (0)