GHSA-VCV2-R9JH-99M5: OS Command Injection in agentic-flow MCP Server Tools

The vulnerability, tracked as GHSA-vcv2-r9jh-99m5, is an OS command injection flaw (CWE-78) in the agentic-flow npm package at versions 2.0.13 and earlier.

This library exposes Model Context Protocol (MCP) servers and tools designed to facilitate direct actions by artificial intelligence (AI) agents, such as executing local system commands, interacting with databases, and editing codebases.

The attack surface is highly significant because LLM-driven agents are designed to autonomously read and parse untrusted data sources (such as public GitHub repositories, scraped web pages, or incoming emails) and pass summarized arguments to these tools.

If an attacker can manipulate the input that an AI agent parses, they can trigger command execution on the host machine hosting the MCP server. This bypasses the typical boundaries established for AI agent sandboxing and compromises the underlying operating system.

The root cause of this vulnerability lies in the unsafe use of Node.js's native child_process.execSync() function paired with template string interpolation.

When execSync(commandString) is called in Node.js, the runtime spawns a shell (such as /bin/sh on Unix systems or cmd.exe on Windows) to parse and run the complete string. Because the codebase directly interpolated user-controlled variables into the command string within double quotes, system shells treated metacharacters as active shell directives.

An attacker can supply payloads containing double quotes to break out of the string literal, followed by shell control characters such as semicolons, logical AND operators, or pipes. This terminates the legitimate command and causes the shell to execute arbitrary appended commands under the security context of the parent Node.js process.

Below is a comparison of the vulnerable and patched implementations within the MCP server codebase.

Vulnerable Code Path

In src/mcp/standalone-stdio.ts, parameters were concatenated dynamically without sanitization:

// Unsafe shell interpolation inside agentic_flow_agent tool
let cmd = `npx --yes agentic-flow --agent \"${agent}\" --task \"${task}\"`;
const result = execSync(cmd, { encoding: 'utf-8' });

Patched Implementation

The remediated code replaces the shell execution wrapper with execFileSync and disables the shell interpreter globally:

// Safe direct process execution
const NPX_EXEC_OPTS = { shell: false as const };
 
const result = execFileSync(
  'npx',
  ['--yes', 'agentic-flow', '--agent', agent, '--task', task],
  { ...NPX_EXEC_OPTS, encoding: 'utf-8' }
);

Using execFileSync with shell: false passes arguments directly to the OS kernel via the execve system call. The operating system treats each element of the arguments array as a literal string payload, preventing shell parsing engines from executing special control characters.

Exploitation of this vulnerability relies on feeding an LLM agent structured malicious input that is subsequently passed down to the MCP server's active tools.

Attack Vector Details

An attacker can place a weaponized payload inside a public repository, web page, or PDF document that they know an agent is scheduled to read. For example, the payload might read: x\"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo \".

When the agent processes this text, it invokes the agentic_flow_agent tool and transmits the payload as the task argument. The resulting string is passed directly to the shell as:

npx --yes agentic-flow --agent \"coder\" --task \"x\"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo \"\"

The shell splits this command sequence on the semicolon, successfully running the initial command, followed by the execution of touch /tmp/INJECTED and id > /tmp/rce.txt on the host operating system.

This vulnerability presents a high-risk security threat, receiving a CVSS v3.1 score of 8.8.

Because MCP servers typically run locally on developers' machines or inside centralized internal deployment environments, successful exploitation yields arbitrary shell command execution with the permissions of the underlying system user. An attacker can perform actions such as exfiltrating environment variables, reading private codebases, stealing SSH and API keys, or establishing persistent reverse shells.

The impact is compounded because the attack vector bypasses traditional network defense systems, using the AI agent as an interactive proxy to perform the exploit delivery phase.

To secure affected systems, immediate software updates and robust monitoring are required.

Security Regression Tests

The development team implemented automated regression security tests to block future occurrences of this flaw. The test suite, located in tests/security/cwe-78-mcp-execsync.test.ts, parses the codebase to verify that execSync is never imported or invoked without explicit inclusion in an exempt list:

import { describe, it, expect } from 'vitest';
import { readFileSync, readdirSync, statSync } from 'node:fs';
import { join, resolve } from 'node:path';
 
const MCP_ROOT = resolve(__dirname, '../../src/mcp');
const EXEMPT_FILES = new Set<string>([
  'fastmcp/tools/hooks/pretrain.ts'
]);

Organizations should also deploy static analysis configurations (such as ESLint rules) to restrict the use of raw shell execution sinks across all Node.js development projects.