Skip to content

nono-py has proxy-only network fallback bypass on older Linux kernels

Moderate severity GitHub Reviewed Published May 23, 2026 in nolabs-ai/nono-py • Updated Jun 26, 2026

Package

pip nono-py (pip)

Affected versions

>= 0.9.0, < 0.10.1

Patched versions

0.10.1

Description

Summary

On Linux kernels that do not support Landlock network rules, nono_py.sandboxed_exec() could run CapabilitySet.proxy_only(proxy) without supervising the seccomp-notify proxy-only fallback returned by the Rust core.

In that configuration, a sandboxed child process could remove HTTP_PROXY / HTTPS_PROXY environment variables or use raw sockets and then open direct TCP connections that should have been denied by proxy-only policy.

The issue affects proxy-only enforcement. It does not mean that all nono-py network blocking is ineffective. ECS validation showed caps.block_network() denied regular TCP and ECS metadata TCP on the tested Linux 6.1 host.

Impact

The intended proxy_only() security property is:

  • child processes may connect only to the local nono proxy port
  • the proxy enforces host allowlists and metadata/link-local denial
  • direct TCP to any other target is denied

Before the fix, on kernels without Landlock AccessNet, the Python binding applied the sandbox and then executed the child, but did not install and supervise the proxy-only seccomp-notify fallback. A child could therefore bypass the proxy layer in that old-kernel path.

The highest-impact scenario is a sandboxed workload with access to cloud metadata discovery inputs, where direct TCP to a metadata endpoint could retrieve task or instance credentials after proxy environment variables are removed.

Affected Conditions

The issue requires all of the following:

  • Linux runtime.
  • Kernel without Landlock network support, such as Linux 6.1. Landlock network rules require Landlock ABI v4 / Linux 6.7 or newer.
  • nono_py.sandboxed_exec() is used.
  • The capability set uses caps.proxy_only(proxy).
  • The child process removes or ignores proxy environment variables, or uses raw sockets.

macOS Seatbelt proxy-only enforcement is not affected by this Linux seccomp-notify fallback issue.

Affected Versions

Known affected builds include nono-py versions that expose and use CapabilitySet.proxy_only() through sandboxed_exec() before the supervised fallback fix in this working tree.

Earlier versions that did not expose CapabilitySet.proxy_only() are not affected by this specific proxy-only enforcement bug, though they may have separate environment-inheritance risks if callers passed broad parent environment variables into sandboxed children.

CVSS Score Rationale

Metric Value Rationale
Attack Vector (AV) L — Local Exploit is performed by a local process (unsetting env vars or opening raw sockets). Not remotely triggerable.
Attack Complexity (AC) H — High All of the following must be true: Linux runtime; kernel < 6.7 (no Landlock ABI v4); sandboxed_exec() used; capability set calls proxy_only(); child actively bypasses proxy env vars or uses raw sockets.
Privileges Required (PR) L — Low Attacker is already executing code inside the sandbox — some user-level privilege is required to get there.
User Interaction (UI) N — None No action from a user or operator is needed once the sandboxed child is running.
Scope (S) C — Changed The exploit crosses the sandbox security boundary, allowing the child to reach network resources outside the defined policy scope.
Confidentiality (C) H — High Highest-impact path: direct TCP to cloud metadata endpoint (169.254.169.254) yields IAM / task credentials.
Integrity (I) L — Low Attacker can make arbitrary outbound requests; no direct data modification from the bypass itself, but lateral credential use creates indirect risk.
Availability (A) N — None No denial-of-service impact described or implied.

References

@lukehinds lukehinds published to nolabs-ai/nono-py May 23, 2026
Published to the GitHub Advisory Database Jun 26, 2026
Reviewed Jun 26, 2026
Last updated Jun 26, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

EPSS score

Weaknesses

Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-72w7-mf9g-733p

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.