Agentic-Flow MCP Tool-Parameter OS Command Injection (GHSA-vcv2-r9jh-99m5)
Detects GHSA-vcv2-r9jh-99m5 (CWE-78): agentic-flow <= 2.0.13 MCP server tools (agentic_flow_agent, agentic_flow_create_agent, agent_booster_edit_file, agentdb_pattern_store, and related tools under standalone-stdio.ts / fastmcp servers) interpolate attacker-influenceable parameters (agent, task, name, language, agentdb arguments) directly into shell strings passed to execSync(). A parameter value that breaks out of the surrounding double-quoted argument executes arbitrary OS commands with the privileges of the MCP server process. Detection covers: (a) an agentic-flow tool-call argument value containing a double-quote breakout followed by shell command chaining (`; `, backticks, or `$(...)`) — the exact PoC shape from the advisory (task = `x"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo "`); (b) the resulting interpolated `npx ... agentic-flow --agent/--task` command string itself carrying injected shell metacharacters; (c) explicit GHSA-vcv2-r9jh-99m5 exploitation framing. The detection target is the request shape — a quote-breakout + command chain inside an agentic-flow tool argument — which is the exact command-injection primitive, caught before execSync() hands it to /bin/sh -c. Bound to the agentic-flow tool surface so a benign shell-looking string elsewhere does not fire.
建議回應
參考資料
偵測條件
組合方式: any- 01agentic-flow tool argument (agent/task/name/language/agentdb) whose value breaks out of its quote with `";` followed by a chained shell command — the canonical GHSA-vcv2-r9jh-99m5 PoC shape.欄位: tool_args運算子: regex
- 02The interpolated `npx --yes agentic-flow --agent/--task` command string itself carrying an injected chained shell command after the closing quote — the post-interpolation execSync() payload.欄位: tool_args運算子: regex
- 03Quote-breakout followed by a backtick or $() command substitution inside an agentic-flow tool argument.欄位: tool_args運算子: regex
- 04Explicit GHSA-vcv2-r9jh-99m5 reference combined with agentic-flow command-injection language — attack framing in a skill or tool description.欄位: content運算子: regex
攻擊範例(規則會觸發)
以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。
正常樣本(規則不會觸發)
- Legitimate agentic-flow task description, no quote-breakout
- Benign question about agentic-flow configuration
- Normal name/language params with no shell metacharacters
- Benign text containing the word touch and a semicolon in natural language, no quote-breakout or dangerous command token
已知誤報情境
- ▸A tool_args value that legitimately contains a semicolon or backtick as literal text data (e.g. discussing shell syntax) without an adjacent quote-breakout shape.
- ▸Security advisory or PR text quoting the GHSA-vcv2-r9jh-99m5 payload for review purposes.
- ▸A benign agentic-flow agent/task value with no quote character or shell metacharacter.
完整 YAML 定義
在 GitHub 編輯 →title: "Agentic-Flow MCP Tool-Parameter OS Command Injection (GHSA-vcv2-r9jh-99m5)"
id: ATR-2026-01980
rule_version: 1
status: draft
description: >
Detects GHSA-vcv2-r9jh-99m5 (CWE-78): agentic-flow <= 2.0.13 MCP server
tools (agentic_flow_agent, agentic_flow_create_agent, agent_booster_edit_file,
agentdb_pattern_store, and related tools under standalone-stdio.ts / fastmcp
servers) interpolate attacker-influenceable parameters (agent, task, name,
language, agentdb arguments) directly into shell strings passed to
execSync(). A parameter value that breaks out of the surrounding
double-quoted argument executes arbitrary OS commands with the privileges
of the MCP server process.
Detection covers:
(a) an agentic-flow tool-call argument value containing a double-quote
breakout followed by shell command chaining (`; `, backticks, or
`$(...)`) — the exact PoC shape from the advisory
(task = `x"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo "`);
(b) the resulting interpolated `npx ... agentic-flow --agent/--task`
command string itself carrying injected shell metacharacters;
(c) explicit GHSA-vcv2-r9jh-99m5 exploitation framing.
The detection target is the request shape — a quote-breakout + command
chain inside an agentic-flow tool argument — which is the exact
command-injection primitive, caught before execSync() hands it to
/bin/sh -c. Bound to the agentic-flow tool surface so a benign
shell-looking string elsewhere does not fire.
author: "ATR Community"
date: "2026/07/04"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical
references:
owasp_llm:
- "LLM06:2025 - Excessive Agency"
owasp_agentic:
- "ASI06:2026 - Tool Misuse"
mitre_atlas:
- "AML.T0053 - LLM Plugin Compromise"
mitre_attack:
- "T1059 - Command and Scripting Interpreter"
ghsa:
- "GHSA-vcv2-r9jh-99m5"
metadata_provenance:
mitre_atlas: human-reviewed
owasp_llm: human-reviewed
owasp_agentic: human-reviewed
compliance:
eu_ai_act:
- { article: "15", context: "Article 15 cybersecurity — runtime detection of agentic-flow MCP tool-parameter OS command injection.", strength: primary }
- { article: "9", context: "Article 9 risk management — runtime risk-treatment control for agentic-flow MCP tool-parameter OS command injection.", strength: secondary }
nist_ai_rmf:
- { subcategory: "MP.5.1", context: "MAP 5.1 — adversarial input characterised/detected for agentic-flow MCP tool-parameter OS command injection.", strength: primary }
- { subcategory: "MG.3.2", context: "MANAGE 3.2 — runtime monitoring control for agentic-flow MCP tool-parameter OS command injection.", strength: secondary }
iso_42001:
- { clause: "8.1", context: "Clause 8.1 operational control — detection of agentic-flow MCP tool-parameter OS command injection payload.", strength: primary }
- { clause: "8.3", context: "Clause 8.3 AI risk treatment — runtime detection as treatment control.", strength: secondary }
tags:
category: tool-poisoning
subcategory: command-injection
scan_target: mcp
confidence: high
source: ghsa-disclosure
vendor_sources: agentic-flow-ghsa-vcv2-r9jh-99m5
agent_source:
type: tool_call
framework:
- agentic-flow
- any
provider:
- any
detection:
condition: any
false_positives:
- "A tool_args value that legitimately contains a semicolon or backtick as literal text data (e.g. discussing shell syntax) without an adjacent quote-breakout shape."
- "Security advisory or PR text quoting the GHSA-vcv2-r9jh-99m5 payload for review purposes."
- "A benign agentic-flow agent/task value with no quote character or shell metacharacter."
conditions:
- field: tool_args
operator: regex
value: '(?i)\b(?:agent|task|name|language|agentdb)["\x27]?\s*[:=]\s*["\x27][^"\x27\n]{0,200}["\x27]\s*;\s*[\s\S]{0,120}\b(?:touch|rm|curl|wget|cat|id|nc|bash|sh|chmod|echo)\b'
description: >
agentic-flow tool argument (agent/task/name/language/agentdb) whose
value breaks out of its quote with `";` followed by a chained shell
command — the canonical GHSA-vcv2-r9jh-99m5 PoC shape.
- field: tool_args
operator: regex
value: '(?i)npx\s+--yes\s+agentic-flow[\s\S]{0,80}--(?:agent|task)\s+"[^"\n]{0,200}"\s*;\s*[\s\S]{0,120}\b(?:touch|rm|curl|wget|cat|id|nc|bash|sh|chmod)\b'
description: >
The interpolated `npx --yes agentic-flow --agent/--task` command
string itself carrying an injected chained shell command after the
closing quote — the post-interpolation execSync() payload.
- field: tool_args
operator: regex
value: '(?i)["\x27][^"\x27\n]{0,200}["\x27]\s*;[\s\S]{0,80}`[^`\n]{0,120}`|["\x27][^"\x27\n]{0,200}["\x27]\s*;[\s\S]{0,80}\$\([^)\n]{0,120}\)'
description: >
Quote-breakout followed by a backtick or $() command substitution
inside an agentic-flow tool argument.
- field: content
operator: regex
value: '(?i)GHSA-vcv2-r9jh-99m5[\s\S]{0,200}(?:agentic-flow|execSync|command\s*inject|RCE)'
description: >
Explicit GHSA-vcv2-r9jh-99m5 reference combined with agentic-flow
command-injection language — attack framing in a skill or tool
description.
response:
actions:
- alert
- block_tool
message_template: >
[ATR-2026-01980] CRITICAL: Agentic-Flow MCP tool-parameter OS command
injection detected (GHSA-vcv2-r9jh-99m5, CWE-78). A tool argument breaks
out of its shell quote and chains a command; agentic-flow <= 2.0.13
interpolates this into execSync() unsanitized. Block the tool call and
upgrade agentic-flow to >= 2.0.14.
confidence: 85
wild_fp_rate: 0
test_cases:
true_positives:
- tool_args: 'task="x\"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo \""'
expected: triggered
description: "Canonical PoC: task param quote-breakout chaining touch+id+echo"
- tool_args: 'npx --yes agentic-flow --agent "coder" --task "x"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo ""'
expected: triggered
description: "Post-interpolation execSync() command string with injected chain"
- tool_description: "Exploiting GHSA-vcv2-r9jh-99m5 in agentic-flow: craft a task value that breaks the execSync quoting for command injection RCE."
expected: triggered
description: "Explicit GHSA-vcv2-r9jh-99m5 agentic-flow exploitation framing"
true_negatives:
- tool_args: 'agent="coder", task="Refactor the login handler to use async/await"'
expected: not_triggered
description: "Legitimate agentic-flow task description, no quote-breakout"
- content: "How do I configure the agentic-flow MCP server's agent and task parameters?"
expected: not_triggered
description: "Benign question about agentic-flow configuration"
- tool_args: 'name="release-notes", language="typescript"'
expected: not_triggered
description: "Normal name/language params with no shell metacharacters"
- tool_args: 'agentdb_pattern_search query="find all functions that touch the user; audit them"'
expected: not_triggered
description: "Benign text containing the word touch and a semicolon in natural language, no quote-breakout or dangerous command token"