Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync
agentic-flow versions <= 2.0.13 MCP server tools interpolated attacker-influenceable tool parameters (e.g. agent, task, name, language, agentdb arguments) directly into shell command strings passed to execSync(). A malicious value reaching any of the affected MCP tools could break out of the surrounding double-quoted argument and execute arbitrary OS commands with the privileges of the user running the MCP server. This was a partial-fix gap: prior commit 6a06854 (#158) fixed CWE-78 …