GHSA-vcv2-r9jh-99m5: Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync
Summary
The agentic-flow tool versions 2.0.13 and earlier had a critical vulnerability where user input was directly inserted into shell commands without sanitization, allowing attackers to inject arbitrary OS commands (CWE-78, a type of command injection). This affected multiple MCP server tools, particularly those handling agent and database parameters, and could be exploited through untrusted content processed by the AI agent.
Solution / Mitigation
Upgrade to agentic-flow version 2.0.14 or later. The fix rewrites all affected command calls to use execFileSync(file, argv, { shell: false }), which passes arguments directly to the operating system without shell parsing, preventing injection attacks. Downstream packages (ruflo@3.12.4, claude-flow@3.12.4, @claude-flow/cli@3.12.4) have also been updated to pull the patched version.
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-vcv2-r9jh-99m5
First tracked: June 19, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%