Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox
Summary
Researchers discovered that AWS Bedrock AgentCore's Code Interpreter sandbox, which is supposed to isolate AI agents from external networks, could be bypassed using DNS tunneling (a technique that hides data inside DNS queries to leak information out of restricted environments). Additionally, they found a critical security flaw where the microVM Metadata Service (a system that provides credentials to running programs) lacked proper authentication, potentially allowing attackers to steal sensitive credentials through SSRF attacks (server-side request forgery, where a program is tricked into making requests on behalf of an attacker).
Solution / Mitigation
AWS introduced internal remediations and outlined several important mitigation strategies for customers. The source notes that users cannot patch the managed environment directly but can leverage platform-level controls AWS provides. However, the specific details of these mitigation strategies and platform-level controls are not fully described in the provided excerpt.
Classification
Affected Vendors
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
Original source: https://unit42.paloaltonetworks.com/bypass-of-aws-sandbox-network-isolation-mode/
First tracked: April 7, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%