GHSA-vcv2-r9jh-99m5: Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync
agentic-flow versions <= 2.0.13 MCP server tools interpolated attacker-influenceable tool parameters (e.g. agent, task, name, language, agentdb arguments) directly into shell command strings passed to execSync(). A malicious value reaching any of the affected MCP tools could break out of the surrounding double-quoted argument and execute arbitrary OS commands with the privileges of the user running the MCP server.
This was a partial-fix gap: prior commit 6a06854 (#158) fixed CWE-78 elsewhere in the project but missed the MCP server files entirely.
References
- github.com/advisories/GHSA-vcv2-r9jh-99m5
- github.com/ruvnet/agentic-flow/issues/169
- github.com/ruvnet/agentic-flow/pull/170
- github.com/ruvnet/agentic-flow/security/advisories/GHSA-vcv2-r9jh-99m5
- github.com/ruvnet/ruflo/issues/2414
- github.com/ruvnet/ruflo/pull/2415
- github.com/ruvnet/ruflo/releases/tag/v3.12.4
- www.npmjs.com/package/agentic-flow/v/2.0.14
Code Behaviors & Features
Detect and mitigate GHSA-vcv2-r9jh-99m5 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →