Listen to this Post
How the Mentioned CVE Works
nono-py is a Python binding for the nono capability-based sandboxing system, which uses Landlock (Linux) and Seatbelt (macOS) to enforce OS-level isolation for untrusted workloads. The vulnerability stems from two independent flaws in how nono-py handles network policies.
First flaw — ProxyConfig enforcement gap: When a sandboxed child is configured with a `ProxyConfig` derived from a policy, the system does not automatically enforce CapabilitySet.proxy_only. The `proxy_only` capability is designed to restrict the child process to connecting only to the local nono proxy port, with the proxy itself enforcing host allowlists and blocking direct TCP to any other target. However, because the enforcement is not automatic, a sandboxed child can bypass the resolved domain allowlist by using direct network access instead of going through the proxy. This means that even though the policy author intended to restrict outbound traffic to specific domains via the proxy, the child can simply ignore the proxy and open raw TCP connections to any destination.
Second flaw — Silent policy field ignoring: The policy JSON parser accepts unknown security-sensitive fields without validation or error. If a policy author misspells a restriction field or uses an unsupported field name, the system silently ignores it rather than rejecting the policy or raising a configuration error. This creates a false sense of security: administrators believe certain restrictions are in place, but the sandboxed child never has them applied.
Combined impact: A caller could configure only reverse-proxy credential routes, place the child in CapabilitySet.proxy_only, and reasonably expect network access to be limited to those routes. Instead, because empty `allowed_hosts` meant allow-all inside nono-proxy, the child could use the local proxy as a transparent CONNECT tunnel to non-route-nominated hosts. The intended policy (route-only proxy access) becomes route-only plus arbitrary transparent CONNECT.
Older kernel note: On Linux kernels without Landlock ABI v4 network rules (Linux < 6.7), patched versions continue to support proxy-only enforcement through the seccomp supervisor fallback introduced in commit 807fb4b. Users on older kernels must ensure policy-resolved proxy configurations are coupled to CapabilitySet.proxy_only(proxy); merely injecting proxy environment variables is not sufficient. Before the fix, the Python binding applied the sandbox and executed the child, but did not install and supervise the proxy-only seccomp-notify fallback, allowing bypass on old-kernel paths.
DailyCVE Form:
Platform: …….
nono-py (Python)
Version: ……..
<= 0.10.0
Vulnerability :……
Policy bypass
Severity: …….
Medium
date: ……….
2026-04-28
Prediction: ……….
2026-05-15
What Undercode Say:
Analytics
The vulnerability affects all nono-py versions up to and including 0.10.0. Fixed versions are 0.10.1 for the policy JSON unknown fields issue and 0.11.0 for the authorization bypass. The issue requires all of the following conditions for the old-kernel bypass path: Linux runtime, kernel without Landlock network support (such as Linux 6.1; Landlock network rules require ABI v4 / Linux 6.7 or newer), `nono_py.sandboxed_exec()` is used, the capability set uses caps.proxy_only(proxy), and the child process removes or ignores proxy environment variables or uses raw sockets. macOS Seatbelt proxy-only enforcement is not affected.
Check currently installed nono-py version pip show nono-py Upgrade to patched version pip install --upgrade nono-py>=0.10.1 Verify Landlock ABI version on Linux Landlock ABI v4 (Linux 6.7+) is required for native network rules uname -r If kernel < 6.7, ensure seccomp fallback is active
Vulnerable pattern (pre-0.10.1):
Policy JSON with misspelled field is silently ignored
policy = {
"allowed_domains": ["api.example.com"], Correct field
"alowed_domains": ["evil.com"] Misspelled — silently ignored!
}
Fixed pattern (0.10.1+):
Unknown fields are rejected or validated
ProxyConfig must be explicitly coupled with proxy_only()
caps = CapabilitySet.proxy_only(proxy)
Do not rely on environment variables alone
Exploit:
An attacker who can influence the policy configuration or the sandboxed child’s execution environment can exploit this in several ways:
1. Direct network bypass: The sandboxed child removes `HTTP_PROXY` / `HTTPS_PROXY` environment variables or uses raw sockets (e.g., Python’s `socket` module) to open direct TCP connections. On kernels without Landlock network rules, these connections are not blocked because the seccomp-notify fallback was not installed.
2. Proxy CONNECT tunnel abuse: Even when the child uses the proxy, empty `allowed_hosts` in the proxy configuration means the proxy acts as an open CONNECT tunnel to arbitrary destinations. The child can issue `CONNECT` requests to any host:port, effectively bypassing the intended domain allowlist.
3. Silent policy misconfiguration: A malicious or mistaken policy author can include misspelled restriction fields (e.g., `”blocked_domainz”` instead of "blocked_domains"). The system accepts the JSON without error, and the restriction is never applied — the sandboxed child operates with broader permissions than intended.
4. Cloud metadata exfiltration: In cloud environments, a sandboxed workload with access to cloud metadata discovery inputs can perform direct TCP connections to metadata endpoints (e.g., 169.254.169.254) to retrieve instance credentials after removing proxy environment variables.
Protection:
- Upgrade immediately: Update to nono-py version 0.10.1 or later (for the policy JSON fix) and 0.11.0 or later (for the authorization bypass fix).
- Explicit capability coupling: Always couple policy-resolved proxy configurations with `CapabilitySet.proxy_only(proxy)` explicitly. Do not rely solely on proxy environment variable injection.
- Kernel upgrade (Linux): Upgrade to Linux kernel 6.7 or newer to benefit from Landlock ABI v4 network rules, which provide native kernel-level enforcement. On older kernels, ensure the seccomp-notify fallback is active and supervised.
- Policy validation: Validate all policy JSON fields against a known schema. Reject policies containing unknown or unsupported fields rather than silently ignoring them.
- Network monitoring: Monitor outbound network connections from sandboxed processes. Alert on connections that do not go through the configured proxy.
Impact:
- Confidentiality: A sandboxed child may gain broader network access than intended, potentially exposing sensitive data depending on the execution environment and workload. In cloud environments, this could allow retrieval of instance metadata and credentials.
- Integrity: The vulnerability does not directly affect data integrity, but exfiltrated credentials could be used for unauthorized modifications.
- Availability: Not directly affected.
- Scope: The issue affects proxy-only enforcement specifically. It does not mean that all nono-py network blocking is ineffective — `caps.block_network()` correctly denies regular TCP connections on supported kernels.
- Risk scenario: The highest-impact scenario is a sandboxed workload with access to cloud metadata discovery inputs, where direct TCP to a metadata endpoint could retrieve task or instance credentials after proxy environment variables are removed. This should be classified as medium severity by default, potentially high if users rely on route-only configurations for strict egress control around untrusted code or sensitive credentials.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
