Skip to content

v3.12.4 β€” CWE-78 security patch (agentic-flow β‰₯ 2.0.14)

Latest
Latest

Choose a tag to compare

View all tags
@ruvnet ruvnet released this 18 Jun 14:40
· 2 commits to main since this release
v3.12.4
da901d0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

πŸ”’ Security release β€” CWE-78 fix

This release picks up agentic-flow@2.0.14, which closes an OS command injection vulnerability in its MCP server tools.

What the upstream advisory found

agentic-flow ≀ 2.0.13's MCP server tools (standalone-stdio, http-sse, http-streaming-updated, stdio-full, claude-flow-sdk, poc-stdio, plus the fastmcp/tools/{agent,swarm,hooks} sinks) interpolated attacker-influenceable MCP tool parameters directly into shell command strings passed to execSync(). A malicious value like:

x"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo "

would break out of the surrounding double-quoted argument and execute arbitrary OS commands with the privileges of the user running the MCP server. In MCP deployments where untrusted content (web pages, files, third-party tool output) is processed by the AI agent, this was reachable without direct attacker access to the host.

What changed in this release

  • Root package.json: agentic-flow ^2.0.13 β†’ ^2.0.14
  • ruflo/ wrapper overrides: adds "agentic-flow": ">=2.0.14" defense-in-depth pin (per the #2112 lesson β€” wrapper does not inherit root overrides)
  • All three packages bumped from 3.12.3 β†’ 3.12.4
Package latest alpha v3alpha
@claude-flow/cli 3.12.4 3.12.4 3.12.4
claude-flow 3.12.4 3.12.4 3.12.4
ruflo 3.12.4 3.12.4 3.12.4

How to upgrade

npx ruflo@latest                    # picks up 3.12.4 automatically
npx claude-flow@latest              # picks up 3.12.4 automatically
npx @claude-flow/cli@latest         # picks up 3.12.4 automatically

If you have a local install, refresh:

npm install ruflo@latest
# or
npm install agentic-flow@^2.0.14

Verifying the fix

Anywhere agentic-flow is installed in your tree:

$ grep -c "execSync("    node_modules/agentic-flow/dist/mcp/standalone-stdio.js
0
$ grep -c "execFileSync(" node_modules/agentic-flow/dist/mcp/standalone-stdio.js
14

The pre-fix code had 14 execSync(stringInterp) sinks; the fixed code has zero, replaced 1:1 with execFileSync('npx', argv, { shell: false }) where every argv element is passed straight to execve(2) and the shell is never invoked.

Cross-references

Credit

CWE-78 advisory originally reported via the hackchang_pipeline red-team report package (npm_agentic-flow_report_package_20260618_163017.zip). Thanks to hackchang for the report β€” the sink inventory + minimized PoC payload made it straightforward to write the static-scan regression test that fails CI if any new execSync() call is ever reintroduced into the MCP server tree.

πŸ€– Generated with RuFlo

Assets 2
Loading