AutoJack: How a single page can RCE the host running your AI agent

Microsoft researchers uncovered a critical exploit chain in AutoGen Studio that allowed malicious web content rendered by an AI agent to trigger remote code execution on the host by abusing localhost trust boundaries—demonstrating that agents capable of both browsing untrusted pages and accessing privileged local services can dissolve traditional localhost security assumptions and must be strictly isolated and authenticated.