AWS Bedrock AgentCore Sandbox Flaw Enables Covert Data Exfiltration
A critical security vulnerability has been identified in AWS Bedrock’s AgentCore Code Interpreter, specifically within its Sandbox network mode. This flaw permits outbound DNS queries, allowing malicious actors to establish covert command-and-control (C2) channels and exfiltrate sensitive data, thereby undermining the intended network isolation.
Understanding the AWS Bedrock AgentCore Code Interpreter
AWS Bedrock’s AgentCore Code Interpreter is a managed service designed to execute code in languages such as Python, JavaScript, and shell scripts on behalf of users. This functionality is akin to ChatGPT’s code interpreter, which processes uploaded files and returns analytical results. The service offers three network modes: Public, VPC, and Sandbox. The Sandbox mode was originally documented by AWS as providing complete isolation with no external access.
Discovery of the Sandbox Mode Vulnerability
Researchers at BeyondTrust’s Phantom Labs discovered a significant flaw in the Sandbox mode’s isolation guarantee. Despite blocking general internet traffic, the Sandbox mode allowed DNS A and AAAA record queries to exit the sandbox without restriction. This oversight effectively nullified the isolation model, as it permitted external communication through DNS queries.
The researchers confirmed this behavior using Interactsh, an out-of-band testing server, which received DNS queries from within the sandboxed Code Interpreter, even though the instance was configured with no network access.
Exploiting the Flaw: Establishing a Reverse Shell over DNS
BeyondTrust’s team not only identified the DNS leak but also developed a fully functional bidirectional DNS C2 protocol to demonstrate the severity of the bypass. They crafted a method to deliver commands to the sandboxed interpreter via DNS A record responses, encoding ASCII characters of base64-encoded command chunks into IP address octets. For instance, the command `whoami` encoded as base64 `d2hvYW1p` would be split across multiple DNS responses, with the first octet indicating whether more chunks remained.
The output from these commands was exfiltrated in the reverse direction. The Code Interpreter embedded base64-encoded command results into DNS subdomain queries, up to 60 characters per DNS label, which were captured by an attacker-controlled EC2 instance acting as a nameserver. This setup provided a fully interactive reverse shell operating entirely over DNS, effectively bypassing the network isolation promised by the Sandbox mode.
Potential Impact: Unauthorized Access to AWS Resources
The implications of this vulnerability are particularly severe because Code Interpreter instances operate with assigned IAM roles. Through the DNS-based shell, attackers could execute AWS CLI commands using the interpreter’s IAM credentials. This access allowed them to list S3 buckets and retrieve sensitive files, including customer personally identifiable information (PII), API credentials, and financial records, all exfiltrated covertly over DNS.
The default IAM role provided by the AgentCore Starter Toolkit, as documented in AWS’s open-source repository, grants extensive permissions. These include full S3 read access, full DynamoDB access, and unrestricted Secrets Manager access, representing a significant violation of the principle of least privilege.
Disclosure Timeline and AWS’s Response
BeyondTrust responsibly disclosed the vulnerability to AWS via HackerOne (Report #3323153) on September 1, 2025, initially assigning a CVSSv3 score of 8.1, later revised to 7.5. AWS acknowledged the issue, reproduced it, and deployed an initial fix on November 1, 2025. However, this fix was subsequently rolled back.
On December 23, 2025, AWS communicated that no permanent fix would be issued. Instead, they updated the documentation to clarify that Sandbox mode permits DNS resolution and recommended customers migrate to VPC mode for true isolation. AWS awarded the reporting researcher a $100 AWS Gear Shop gift card. Public disclosure occurred on March 16, 2026.
Broader Implications: The Expanding AI Attack Surface
This vulnerability highlights the growing attack surface associated with AI services. Attackers do not require direct shell access to exploit such vulnerabilities; prompt injection attacks and supply chain compromises can also be leveraged. As AI systems become more integrated into critical infrastructure, ensuring robust security measures and adhering to the principle of least privilege are paramount to prevent unauthorized access and data breaches.
