Listen to this Post
How the Vulnerability Works
On Linux systems running kernels that lack Landlock network rules (ABI v4 / Linux 6.7+), the Python binding `nono_py.sandboxed_exec()` can execute a child process with `CapabilitySet.proxy_only(proxy)` without installing or supervising the seccomp‑notify proxy‑only fallback returned by the Rust core. In this misconfiguration, the sandboxed child is able to remove `HTTP_PROXY` / `HTTPS_PROXY` environment variables or use raw sockets, thereby opening direct TCP connections that should have been denied by the proxy‑only policy.
The intended security property of `proxy_only()` is that child processes may only connect to the local nono proxy port; the proxy then enforces host allowlists and denies access to metadata/link‑local addresses. Before the fix, on kernels without Landlock AccessNet, the Python binding applied the sandbox and executed the child but did not install the seccomp‑notify fallback, allowing the child to bypass the proxy layer entirely.
The highest‑impact scenario involves a sandboxed workload with access to cloud metadata discovery inputs: by removing proxy environment variables, the child can directly connect to `169.254.169.254` and retrieve task or instance credentials. The issue requires all of the following conditions: a Linux runtime, a kernel without Landlock network support (e.g., Linux 6.1), use of nono_py.sandboxed_exec(), a capability set that calls caps.proxy_only(proxy), and a child process that actively removes or ignores proxy environment variables or uses raw sockets. macOS Seatbelt proxy‑only enforcement is not affected.
Affected builds include nono‑py versions that expose and use `CapabilitySet.proxy_only()` through `sandboxed_exec()` before the supervised fallback fix was applied. Earlier versions that did not expose this method are not affected by this specific bug, though they may have separate environment‑inheritance risks if callers passed broad parent environment variables into sandboxed children.
DailyCVE Form
Platform: …… Linux
Version: …….. nono‑py (pre‑fix)
Vulnerability :…… Proxy‑only bypass
Severity: ……. High (CVSS 7.5)
date: ………. 2026‑06‑26
Prediction: …… 2026‑07‑01
What Undercode Say: Analytics
Check Landlock ABI version (needs >=4 for network rules) $ cat /proc/sys/kernel/landlock/abi_version If <4, the system is vulnerable
Vulnerable code path
from nono_py import CapabilitySet, sandboxed_exec
caps = CapabilitySet()
caps.proxy_only("localhost:8080") proxy-only mode
sandboxed_exec(caps, ["python", "agent.py"]) no fallback supervision
Inside the sandboxed child, remove proxy env vars $ unset HTTP_PROXY HTTPS_PROXY $ curl http://169.254.169.254/latest/meta-data/ direct access
How Exploit:
1. Environment variable removal – The child process unsets `HTTP_PROXY` / HTTPS_PROXY.
2. Raw socket usage – Alternatively, the child uses raw sockets to bypass the proxy.
3. Direct TCP connection – The child opens a TCP connection to any target (e.g., cloud metadata endpoint) that should have been blocked by the proxy‑only policy.
4. Credential exfiltration – The direct connection retrieves IAM task credentials or other sensitive metadata.
Protection
- Upgrade to a nono‑py version that includes the supervised fallback fix (commit that installs seccomp‑notify filter after fork).
- On systems with Landlock ABI v4+ (Linux 6.7+), ensure network rules are enabled and enforced.
- Avoid using `proxy_only()` on kernels older than 6.7; prefer `block_network()` or full network deny if proxy enforcement is critical.
- Apply the kernel patch that adds Landlock network support or backport the seccomp‑notify supervision logic.
Impact
- Confidentiality (High) – Direct access to cloud metadata endpoints can expose IAM credentials, task roles, and instance identity documents.
- Integrity (Low) – The attacker can make arbitrary outbound requests, but the bypass itself does not directly modify data; however, stolen credentials can be used for lateral movement.
- Availability (None) – No denial‑of‑service impact is described.
- Scope (Changed) – The sandbox security boundary is crossed, allowing the child to reach network resources outside the defined policy scope.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
