Agions Taskflow-AI Command Injection Vulnerability in MCP Tool Execution

A command injection vulnerability has been identified in Agions Taskflow-AI versions through 2.1.8. The issue resides in the MCP server handlers and executor components, specifically within the 'terminal_execute' tool, which is not publicly listed but can be invoked by attackers. The vulnerability allows for arbitrary OS command execution by exploiting insufficient input validation, potentially leading to full host compromise.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution, which can result in full host compromise, including unauthorized data access, modification of system integrity, and disruption of services.

Reproduction

To reproduce this vulnerability, invoke the MCP 'CallTool' handler with a request that includes a crafted command string for the 'terminal_execute' tool. The command injection can be verified by executing a command that returns a visible output, such as 'id', which will be injected and executed on the server.

Remediation

Users are advised to upgrade to Agions Taskflow-AI version 2.1.9 or later, where this vulnerability has been fixed.