Skip to content

Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync

High severity GitHub Reviewed Published Jun 18, 2026 in ruvnet/agentic-flow • Updated Jun 19, 2026

Package

npm agentic-flow (npm)

Affected versions

<= 2.0.13

Patched versions

2.0.14

Description

Summary

agentic-flow versions <= 2.0.13 MCP server tools interpolated attacker-influenceable tool parameters (e.g. agent, task, name, language, agentdb arguments) directly into shell command strings passed to execSync(). A malicious value reaching any of the affected MCP tools could break out of the surrounding double-quoted argument and execute arbitrary OS commands with the privileges of the user running the MCP server.

This was a partial-fix gap: prior commit 6a06854 (#158) fixed CWE-78 elsewhere in the project but missed the MCP server files entirely.

Impact

Any MCP tool argument that the AI agent treats as data but the implementation interpolates into a shell command string becomes a command-injection vector. In MCP deployments where untrusted content (web pages, files, third-party tool output) is processed by the agent, this is reachable without direct attacker access to the host. The HTTP/SSE transports (http-sse.ts, http-streaming-updated.ts) expose the same sinks without authentication or Origin/Host validation, which may raise the effective severity in any deployment that binds them to a reachable network interface.

Affected components

  • src/mcp/standalone-stdio.tsagentic_flow_agent, agentic_flow_create_agent, agentic_flow_list_all_agents, agentic_flow_agent_info, agentic_flow_check_conflicts, agentic_flow_optimize_model, agentic_flow_list_agents, agent_booster_edit_file, agent_booster_batch_edit, agent_booster_parse_markdown, agentdb_stats, agentdb_pattern_store, agentdb_pattern_search, agentdb_pattern_stats
  • src/mcp/fastmcp/servers/claude-flow-sdk.ts
  • src/mcp/fastmcp/servers/stdio-full.ts
  • src/mcp/fastmcp/servers/http-streaming-updated.ts
  • src/mcp/fastmcp/servers/http-sse.ts
  • src/mcp/fastmcp/servers/poc-stdio.ts
  • src/mcp/fastmcp/tools/agent/{execute,list,parallel}.ts
  • src/mcp/fastmcp/tools/swarm/orchestrate.ts
  • src/mcp/fastmcp/tools/hooks/pretrain.ts (depth path only)

Proof of Concept

// Pre-fix (standalone-stdio.ts, agentic_flow_agent)
let cmd = `npx --yes agentic-flow --agent "${agent}" --task "${task}"`;
const result = execSync(cmd, { encoding: 'utf-8', ... });

Invoking the MCP tool with:

{
  "agent": "coder",
  "task": "x\"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo \""
}

produces, after interpolation:

npx --yes agentic-flow --agent "coder" --task "x"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo ""

When execSync hands that to /bin/sh -c, the shell parses three commands: the truncated npx, then touch /tmp/INJECTED, then id > /tmp/rce.txt; echo "". The marker file /tmp/INJECTED is created and the user's id output is written to /tmp/rce.txt.

Patches

Fixed in agentic-flow@2.0.14 — every affected call site rewritten to use execFileSync(file, argv, { shell: false }) so attacker-controlled argv elements are passed straight to execve(2) without shell parsing.

Fix PR: ruvnet/agentic-flow#170 (merged at 0c2ec96)

A regression test (tests/security/cwe-78-mcp-execsync.test.ts) was added that statically scans every src/mcp/**/*.ts file and fails the build if any new execSync() call is reintroduced outside of a documented exemption, plus a behavioural smoke check that the canonical PoC payload remains inert when passed as an argv element to execFileSync.

Workarounds

Upgrade to agentic-flow >= 2.0.14. There is no in-product configuration that mitigates this without upgrading.

Downstream pin

The ruflo / claude-flow / @claude-flow/cli packages bumped from 3.12.33.12.4 to pull the patched agentic-flow:

  • ruflo@3.12.4
  • claude-flow@3.12.4
  • @claude-flow/cli@3.12.4

End users running any of npx ruflo@latest, npx claude-flow@latest, or npx @claude-flow/cli@latest are pinned to the fixed version.

Credit

Reported by hackchang via a well-scoped red-team report package (npm_agentic-flow_report_package_20260618_163017.zip) that included a sink inventory, a minimized PoC payload, and a clear explanation of why this was a partial-fix gap rather than intended behaviour. The sink inventory directly drove the single-grep pass that closed every reachable call site; the PoC payload became the behavioural smoke test that proves the canonical attack stays inert as an argv element.

References

@ruvnet ruvnet published to ruvnet/agentic-flow Jun 18, 2026
Published to the GitHub Advisory Database Jun 19, 2026
Reviewed Jun 19, 2026
Last updated Jun 19, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS score

Weaknesses

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-vcv2-r9jh-99m5

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.