{"data":{"id":"9743bf0a-6dd0-455b-be4d-9e4a7b76957f","title":"GHSA-vcv2-r9jh-99m5: Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync","summary":"The agentic-flow tool versions 2.0.13 and earlier had a critical vulnerability where user input was directly inserted into shell commands without sanitization, allowing attackers to inject arbitrary OS commands (CWE-78, a type of command injection). This affected multiple MCP server tools, particularly those handling agent and database parameters, and could be exploited through untrusted content processed by the AI agent.","solution":"Upgrade to agentic-flow version 2.0.14 or later. The fix rewrites all affected command calls to use execFileSync(file, argv, { shell: false }), which passes arguments directly to the operating system without shell parsing, preventing injection attacks. Downstream packages (ruflo@3.12.4, claude-flow@3.12.4, @claude-flow/cli@3.12.4) have also been updated to pull the patched version.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-vcv2-r9jh-99m5","publishedAt":"2026-06-19T15:12:58.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["other"],"issueType":"vulnerability","affectedPackages":["agentic-flow@<= 2.0.13 (fixed: 2.0.14)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["agentic-flow","ruflo","claude-flow","@claude-flow/cli"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-06-19T15:12:58.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","availability"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}