Agent Zero Remote Code Execution Vulnerability via MCP Server Configuration
Vulnerability
A remote code execution vulnerability exists in Agent Zero version 0.9.8, specifically within the External MCP Servers configuration feature. The application permits users to define MCP servers using a JSON configuration that can include arbitrary command and argument values. These user-supplied values are executed by the application when the configuration is applied, lacking adequate validation or restrictions. This vulnerability allows an attacker to inject malicious MCP configurations that execute arbitrary operating system commands, potentially leading to remote code execution with the same privileges as the Agent Zero process.
Impact
Exploitation of this vulnerability allows for remote code execution on the server where Agent Zero is running, with the same privileges as the Agent Zero process.
Reproduction
To reproduce this vulnerability, access the Agent Zero application and navigate to the External MCP Servers configuration feature. Create a new MCP server by submitting a JSON configuration that includes arbitrary command and argument values. Once the configuration is applied, the specified commands will be executed on the server without proper validation, resulting in remote code execution.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.