GHSA-72W7-MF9G-733P

Vulnerability from github – Published: 2026-06-26 20:33 – Updated: 2026-06-26 20:33
VLAI
Summary
nono-py has proxy-only network fallback bypass on older Linux kernels
Details

Summary

On Linux kernels that do not support Landlock network rules, nono_py.sandboxed_exec() could run CapabilitySet.proxy_only(proxy) without supervising the seccomp-notify proxy-only fallback returned by the Rust core.

In that configuration, a sandboxed child process could remove HTTP_PROXY / HTTPS_PROXY environment variables or use raw sockets and then open direct TCP connections that should have been denied by proxy-only policy.

The issue affects proxy-only enforcement. It does not mean that all nono-py network blocking is ineffective. ECS validation showed caps.block_network() denied regular TCP and ECS metadata TCP on the tested Linux 6.1 host.

Impact

The intended proxy_only() security property is:

  • child processes may connect only to the local nono proxy port
  • the proxy enforces host allowlists and metadata/link-local denial
  • direct TCP to any other target is denied

Before the fix, on kernels without Landlock AccessNet, the Python binding applied the sandbox and then executed the child, but did not install and supervise the proxy-only seccomp-notify fallback. A child could therefore bypass the proxy layer in that old-kernel path.

The highest-impact scenario is a sandboxed workload with access to cloud metadata discovery inputs, where direct TCP to a metadata endpoint could retrieve task or instance credentials after proxy environment variables are removed.

Affected Conditions

The issue requires all of the following:

  • Linux runtime.
  • Kernel without Landlock network support, such as Linux 6.1. Landlock network rules require Landlock ABI v4 / Linux 6.7 or newer.
  • nono_py.sandboxed_exec() is used.
  • The capability set uses caps.proxy_only(proxy).
  • The child process removes or ignores proxy environment variables, or uses raw sockets.

macOS Seatbelt proxy-only enforcement is not affected by this Linux seccomp-notify fallback issue.

Affected Versions

Known affected builds include nono-py versions that expose and use CapabilitySet.proxy_only() through sandboxed_exec() before the supervised fallback fix in this working tree.

Earlier versions that did not expose CapabilitySet.proxy_only() are not affected by this specific proxy-only enforcement bug, though they may have separate environment-inheritance risks if callers passed broad parent environment variables into sandboxed children.

CVSS Score Rationale

Metric Value Rationale
Attack Vector (AV) L — Local Exploit is performed by a local process (unsetting env vars or opening raw sockets). Not remotely triggerable.
Attack Complexity (AC) H — High All of the following must be true: Linux runtime; kernel < 6.7 (no Landlock ABI v4); sandboxed_exec() used; capability set calls proxy_only(); child actively bypasses proxy env vars or uses raw sockets.
Privileges Required (PR) L — Low Attacker is already executing code inside the sandbox — some user-level privilege is required to get there.
User Interaction (UI) N — None No action from a user or operator is needed once the sandboxed child is running.
Scope (S) C — Changed The exploit crosses the sandbox security boundary, allowing the child to reach network resources outside the defined policy scope.
Confidentiality (C) H — High Highest-impact path: direct TCP to cloud metadata endpoint (169.254.169.254) yields IAM / task credentials.
Integrity (I) L — Low Attacker can make arbitrary outbound requests; no direct data modification from the bypass itself, but lateral credential use creates indirect risk.
Availability (A) N — None No denial-of-service impact described or implied.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "nono-py"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9.0"
            },
            {
              "fixed": "0.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T20:33:48Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nOn Linux kernels that do not support Landlock network rules, `nono_py.sandboxed_exec()` could run `CapabilitySet.proxy_only(proxy)` without supervising the seccomp-notify proxy-only fallback returned by the Rust core.\n\nIn that configuration, a sandboxed child process could remove `HTTP_PROXY` / `HTTPS_PROXY` environment variables or use raw sockets and then open direct TCP connections that should have been denied by proxy-only policy.\n\nThe issue affects proxy-only enforcement. It does not mean that all nono-py network blocking is ineffective. ECS validation showed `caps.block_network()` denied regular TCP and ECS metadata TCP on the tested Linux 6.1 host.\n\n## Impact\n\nThe intended `proxy_only()` security property is:\n\n- child processes may connect only to the local nono proxy port\n- the proxy enforces host allowlists and metadata/link-local denial\n- direct TCP to any other target is denied\n\nBefore the fix, on kernels without Landlock `AccessNet`, the Python binding applied the sandbox and then executed the child, but did not install and supervise the proxy-only seccomp-notify fallback. A child could therefore bypass the proxy layer in that old-kernel path.\n\nThe highest-impact scenario is a sandboxed workload with access to cloud metadata discovery inputs, where direct TCP to a metadata endpoint could retrieve task or instance credentials after proxy environment variables are removed.\n\n## Affected Conditions\n\nThe issue requires all of the following:\n\n- Linux runtime.\n- Kernel without Landlock network support, such as Linux 6.1. Landlock network rules require Landlock ABI v4 / Linux 6.7 or newer.\n- `nono_py.sandboxed_exec()` is used.\n- The capability set uses `caps.proxy_only(proxy)`.\n- The child process removes or ignores proxy environment variables, or uses raw sockets.\n\nmacOS Seatbelt proxy-only enforcement is not affected by this Linux seccomp-notify fallback issue.\n\n## Affected Versions\n\nKnown affected builds include nono-py versions that expose and use `CapabilitySet.proxy_only()` through `sandboxed_exec()` before the supervised fallback fix in this working tree.\n\nEarlier versions that did not expose `CapabilitySet.proxy_only()` are not affected by this specific proxy-only enforcement bug, though they may have separate environment-inheritance risks if callers passed broad parent environment variables into sandboxed children.\n\n\n**CVSS Score Rationale**\n\n| Metric | Value | Rationale |\n|---|---|---|\n| **Attack Vector (AV)** | L \u2014 Local | Exploit is performed by a local process (unsetting env vars or opening raw sockets). Not remotely triggerable. |\n| **Attack Complexity (AC)** | H \u2014 High | All of the following must be true: Linux runtime; kernel \u003c 6.7 (no Landlock ABI v4); `sandboxed_exec()` used; capability set calls `proxy_only()`; child actively bypasses proxy env vars or uses raw sockets. |\n| **Privileges Required (PR)** | L \u2014 Low | Attacker is already executing code inside the sandbox \u2014 some user-level privilege is required to get there. |\n| **User Interaction (UI)** | N \u2014 None | No action from a user or operator is needed once the sandboxed child is running. |\n| **Scope (S)** | C \u2014 Changed | The exploit crosses the sandbox security boundary, allowing the child to reach network resources outside the defined policy scope. |\n| **Confidentiality (C)** | H \u2014 High | Highest-impact path: direct TCP to cloud metadata endpoint (169.254.169.254) yields IAM / task credentials. |\n| **Integrity (I)** | L \u2014 Low | Attacker can make arbitrary outbound requests; no direct data modification from the bypass itself, but lateral credential use creates indirect risk. |\n| **Availability (A)** | N \u2014 None | No denial-of-service impact described or implied. |\n\n---",
  "id": "GHSA-72w7-mf9g-733p",
  "modified": "2026-06-26T20:33:48Z",
  "published": "2026-06-26T20:33:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/always-further/nono-py/security/advisories/GHSA-72w7-mf9g-733p"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nolabs-ai/nono-py/commit/3e67dfa11cbe9514f315fdd36473680c318816d7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/always-further/nono-py"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "nono-py has proxy-only network fallback bypass on older Linux kernels"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…