GHSA-VCV2-R9JH-99M5: OS Command Injection in agentic-flow MCP Server Tools
Vulnerability ID: GHSA-VCV2-R9JH-99M5
CVSS Score: 8.8
Published: 2026-06-19
An OS command injection vulnerability (CWE-78) exists in agentic-flow versions 2.0.13 and prior. The package's Model Context Protocol (MCP) server tools directly interpolate user-controlled parameters into shell command strings executed via child_process.execSync without validation. If an AI agent processes untrusted external input and forwards it as parameters to any affected tool, an attacker can break out of the shell argument quotes and execute arbitrary OS commands on the host machine.
TL;DR
Unsanitized parameters passed to agentic-flow MCP tools are executed directly in system shells via Node.js execSync, enabling remote attackers to run arbitrary OS commands when an AI agent processes malicious external content.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-78
- Attack Vector: Network (Unauthenticated) / User Interaction Required (AI processing untrusted input)
- CVSS Severity: 8.8 (High)
- Exploit Status: PoC Available / Verified
- KEV Status: Not Listed
Affected Systems
- agentic-flow <= 2.0.13
- ruflo < 3.12.4
- claude-flow < 3.12.4
- @claude-flow/cli < 3.12.4
-
agentic-flow: <= 2.0.13 (Fixed in:
2.0.14)
Code Analysis
Commit: 0c2ec96
Replace vulnerable execSync calls with safe execFileSync parameterization
Mitigation Strategies
- Upgrade agentic-flow to version 2.0.14 or later
- Ensure all dependent packages (ruflo, claude-flow) are updated to version 3.12.4
- Deploy runtime execution sandboxing for all MCP servers
Remediation Steps:
- Identify affected Node.js installations running agentic-flow <= 2.0.13
- Update package.json dependencies to target version 2.0.14 or higher
- Run npm install to apply the patch
- Verify that the process tree running MCP tools lacks shell execution rights
References
Read the full report for GHSA-VCV2-R9JH-99M5 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)