Skip to content
ATR-2026-01980critical工具下毒draft

Agentic-Flow MCP Tool-Parameter OS Command Injection (GHSA-vcv2-r9jh-99m5)

Detects GHSA-vcv2-r9jh-99m5 (CWE-78): agentic-flow <= 2.0.13 MCP server tools (agentic_flow_agent, agentic_flow_create_agent, agent_booster_edit_file, agentdb_pattern_store, and related tools under standalone-stdio.ts / fastmcp servers) interpolate attacker-influenceable parameters (agent, task, name, language, agentdb arguments) directly into shell strings passed to execSync(). A parameter value that breaks out of the surrounding double-quoted argument executes arbitrary OS commands with the privileges of the MCP server process. Detection covers: (a) an agentic-flow tool-call argument value containing a double-quote breakout followed by shell command chaining (`; `, backticks, or `$(...)`) — the exact PoC shape from the advisory (task = `x"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo "`); (b) the resulting interpolated `npx ... agentic-flow --agent/--task` command string itself carrying injected shell metacharacters; (c) explicit GHSA-vcv2-r9jh-99m5 exploitation framing. The detection target is the request shape — a quote-breakout + command chain inside an agentic-flow tool argument — which is the exact command-injection primitive, caught before execSync() hands it to /bin/sh -c. Bound to the agentic-flow tool surface so a benign shell-looking string elsewhere does not fire.

嚴重度
critical
類別
工具下毒
掃描目標
mcp
作者
ATR Community

建議回應

alertblock tool

參考資料

OWASP Agentic
ASI06:2026 - Tool Misuse
OWASP LLM
LLM06:2025 - Excessive Agency
MITRE ATLAS
AML.T0053 - LLM Plugin Compromise

偵測條件

組合方式: any
  1. 01
    agentic-flow tool argument (agent/task/name/language/agentdb) whose value breaks out of its quote with `";` followed by a chained shell command — the canonical GHSA-vcv2-r9jh-99m5 PoC shape.
    欄位: tool_args運算子: regex
  2. 02
    The interpolated `npx --yes agentic-flow --agent/--task` command string itself carrying an injected chained shell command after the closing quote — the post-interpolation execSync() payload.
    欄位: tool_args運算子: regex
  3. 03
    Quote-breakout followed by a backtick or $() command substitution inside an agentic-flow tool argument.
    欄位: tool_args運算子: regex
  4. 04
    Explicit GHSA-vcv2-r9jh-99m5 reference combined with agentic-flow command-injection language — attack framing in a skill or tool description.
    欄位: content運算子: regex

攻擊範例(規則會觸發)

以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。

正常樣本(規則不會觸發)

  1. Legitimate agentic-flow task description, no quote-breakout
  2. Benign question about agentic-flow configuration
  3. Normal name/language params with no shell metacharacters
  4. Benign text containing the word touch and a semicolon in natural language, no quote-breakout or dangerous command token

已知誤報情境

  • A tool_args value that legitimately contains a semicolon or backtick as literal text data (e.g. discussing shell syntax) without an adjacent quote-breakout shape.
  • Security advisory or PR text quoting the GHSA-vcv2-r9jh-99m5 payload for review purposes.
  • A benign agentic-flow agent/task value with no quote character or shell metacharacter.

完整 YAML 定義

在 GitHub 編輯 →
title: "Agentic-Flow MCP Tool-Parameter OS Command Injection (GHSA-vcv2-r9jh-99m5)"
id: ATR-2026-01980
rule_version: 1
status: draft
description: >
  Detects GHSA-vcv2-r9jh-99m5 (CWE-78): agentic-flow <= 2.0.13 MCP server
  tools (agentic_flow_agent, agentic_flow_create_agent, agent_booster_edit_file,
  agentdb_pattern_store, and related tools under standalone-stdio.ts / fastmcp
  servers) interpolate attacker-influenceable parameters (agent, task, name,
  language, agentdb arguments) directly into shell strings passed to
  execSync(). A parameter value that breaks out of the surrounding
  double-quoted argument executes arbitrary OS commands with the privileges
  of the MCP server process.

  Detection covers:
  (a) an agentic-flow tool-call argument value containing a double-quote
      breakout followed by shell command chaining (`; `, backticks, or
      `$(...)`) — the exact PoC shape from the advisory
      (task = `x"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo "`);
  (b) the resulting interpolated `npx ... agentic-flow --agent/--task`
      command string itself carrying injected shell metacharacters;
  (c) explicit GHSA-vcv2-r9jh-99m5 exploitation framing.

  The detection target is the request shape — a quote-breakout + command
  chain inside an agentic-flow tool argument — which is the exact
  command-injection primitive, caught before execSync() hands it to
  /bin/sh -c. Bound to the agentic-flow tool surface so a benign
  shell-looking string elsewhere does not fire.
author: "ATR Community"
date: "2026/07/04"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical

references:
  owasp_llm:
    - "LLM06:2025 - Excessive Agency"
  owasp_agentic:
    - "ASI06:2026 - Tool Misuse"
  mitre_atlas:
    - "AML.T0053 - LLM Plugin Compromise"
  mitre_attack:
    - "T1059 - Command and Scripting Interpreter"
  ghsa:
    - "GHSA-vcv2-r9jh-99m5"

metadata_provenance:
  mitre_atlas: human-reviewed
  owasp_llm: human-reviewed
  owasp_agentic: human-reviewed

compliance:
  eu_ai_act:
    - { article: "15", context: "Article 15 cybersecurity — runtime detection of agentic-flow MCP tool-parameter OS command injection.", strength: primary }
    - { article: "9",  context: "Article 9 risk management — runtime risk-treatment control for agentic-flow MCP tool-parameter OS command injection.", strength: secondary }
  nist_ai_rmf:
    - { subcategory: "MP.5.1", context: "MAP 5.1 — adversarial input characterised/detected for agentic-flow MCP tool-parameter OS command injection.", strength: primary }
    - { subcategory: "MG.3.2", context: "MANAGE 3.2 — runtime monitoring control for agentic-flow MCP tool-parameter OS command injection.", strength: secondary }
  iso_42001:
    - { clause: "8.1", context: "Clause 8.1 operational control — detection of agentic-flow MCP tool-parameter OS command injection payload.", strength: primary }
    - { clause: "8.3", context: "Clause 8.3 AI risk treatment — runtime detection as treatment control.", strength: secondary }

tags:
  category: tool-poisoning
  subcategory: command-injection
  scan_target: mcp
  confidence: high
  source: ghsa-disclosure
  vendor_sources: agentic-flow-ghsa-vcv2-r9jh-99m5

agent_source:
  type: tool_call
  framework:
    - agentic-flow
    - any
  provider:
    - any

detection:
  condition: any
  false_positives:
    - "A tool_args value that legitimately contains a semicolon or backtick as literal text data (e.g. discussing shell syntax) without an adjacent quote-breakout shape."
    - "Security advisory or PR text quoting the GHSA-vcv2-r9jh-99m5 payload for review purposes."
    - "A benign agentic-flow agent/task value with no quote character or shell metacharacter."
  conditions:
    - field: tool_args
      operator: regex
      value: '(?i)\b(?:agent|task|name|language|agentdb)["\x27]?\s*[:=]\s*["\x27][^"\x27\n]{0,200}["\x27]\s*;\s*[\s\S]{0,120}\b(?:touch|rm|curl|wget|cat|id|nc|bash|sh|chmod|echo)\b'
      description: >
        agentic-flow tool argument (agent/task/name/language/agentdb) whose
        value breaks out of its quote with `";` followed by a chained shell
        command — the canonical GHSA-vcv2-r9jh-99m5 PoC shape.
    - field: tool_args
      operator: regex
      value: '(?i)npx\s+--yes\s+agentic-flow[\s\S]{0,80}--(?:agent|task)\s+"[^"\n]{0,200}"\s*;\s*[\s\S]{0,120}\b(?:touch|rm|curl|wget|cat|id|nc|bash|sh|chmod)\b'
      description: >
        The interpolated `npx --yes agentic-flow --agent/--task` command
        string itself carrying an injected chained shell command after the
        closing quote — the post-interpolation execSync() payload.
    - field: tool_args
      operator: regex
      value: '(?i)["\x27][^"\x27\n]{0,200}["\x27]\s*;[\s\S]{0,80}`[^`\n]{0,120}`|["\x27][^"\x27\n]{0,200}["\x27]\s*;[\s\S]{0,80}\$\([^)\n]{0,120}\)'
      description: >
        Quote-breakout followed by a backtick or $() command substitution
        inside an agentic-flow tool argument.
    - field: content
      operator: regex
      value: '(?i)GHSA-vcv2-r9jh-99m5[\s\S]{0,200}(?:agentic-flow|execSync|command\s*inject|RCE)'
      description: >
        Explicit GHSA-vcv2-r9jh-99m5 reference combined with agentic-flow
        command-injection language — attack framing in a skill or tool
        description.

response:
  actions:
    - alert
    - block_tool
  message_template: >
    [ATR-2026-01980] CRITICAL: Agentic-Flow MCP tool-parameter OS command
    injection detected (GHSA-vcv2-r9jh-99m5, CWE-78). A tool argument breaks
    out of its shell quote and chains a command; agentic-flow <= 2.0.13
    interpolates this into execSync() unsanitized. Block the tool call and
    upgrade agentic-flow to >= 2.0.14.

confidence: 85

wild_fp_rate: 0

test_cases:
  true_positives:
    - tool_args: 'task="x\"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo \""'
      expected: triggered
      description: "Canonical PoC: task param quote-breakout chaining touch+id+echo"
    - tool_args: 'npx --yes agentic-flow --agent "coder" --task "x"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo ""'
      expected: triggered
      description: "Post-interpolation execSync() command string with injected chain"
    - tool_description: "Exploiting GHSA-vcv2-r9jh-99m5 in agentic-flow: craft a task value that breaks the execSync quoting for command injection RCE."
      expected: triggered
      description: "Explicit GHSA-vcv2-r9jh-99m5 agentic-flow exploitation framing"
  true_negatives:
    - tool_args: 'agent="coder", task="Refactor the login handler to use async/await"'
      expected: not_triggered
      description: "Legitimate agentic-flow task description, no quote-breakout"
    - content: "How do I configure the agentic-flow MCP server's agent and task parameters?"
      expected: not_triggered
      description: "Benign question about agentic-flow configuration"
    - tool_args: 'name="release-notes", language="typescript"'
      expected: not_triggered
      description: "Normal name/language params with no shell metacharacters"
    - tool_args: 'agentdb_pattern_search query="find all functions that touch the user; audit them"'
      expected: not_triggered
      description: "Benign text containing the word touch and a semicolon in natural language, no quote-breakout or dangerous command token"

修訂歷史

建立於
2026-07-04
最後修改
2026-07-05
在 GitHub 查看完整 commit 歷史 →