Trending Society
Sign Up

AI Flaws in Amazon Bedrock, LangSmith, and SGLang Enable Data Exfiltration and RCE

Jeff Liu··2 min read·AI
AI Flaws in Amazon Bedrock, LangSmith, and SGLang Enable Data Exfiltration and RCE

Key Takeaways

  1. 1Amazon Bedrock's Code Interpreter sandbox permits data exfiltration via DNS queries.
  2. 2LangSmith suffered a high-severity URL injection leading to account takeover.
  3. 3SGLang contains unpatched remote code execution flaws via unsafe pickle deserialization.
  4. 4AWS recommends VPC mode and DNS firewalls for Bedrock, deeming DNS egress "intended."
  5. 5These vulnerabilities highlight critical gaps in network isolation and input validation for AI agents.
Recent security research has revealed critical vulnerabilities across leading artificial intelligence platforms, including Amazon Bedrock, LangSmith, and SGLang. These flaws expose sensitive data exfiltration pathways and enable remote code execution, challenging the core security assumptions of AI development environments. Organizations relying on these services now face an urgent mandate to reassess their configurations and implement stronger protective measures against sophisticated cyber threats.

Bedrock's DNS Flaw Undermines Network Isolation

Security researchers at BeyondTrust have detailed a novel method for exfiltrating sensitive data from AI code execution environments using domain name system (DNS) queries. The report highlights a significant flaw in Amazon Bedrock AgentCore Code Interpreter's sandbox mode, which allows outbound DNS queries despite being configured for "no network access." This oversight creates a pathway for attackers to bypass network isolation controls.

Attackers can exploit this behavior to establish bidirectional command-and-control channels and exfiltrate sensitive information. This becomes particularly dangerous if the AI's IAM role possesses overprivileged permissions to access AWS resources like S3 buckets. In such scenarios, an interactive reverse shell can be obtained, and commands executed stealthily via DNS queries. The flaw, which lacks a CVE identifier, carries a CVSS score of 7.5 out of 10.0.

While Amazon acknowledged the report, it determined the behavior to be "intended functionality rather than a defect." AWS now recommends customers use VPC mode instead of sandbox mode for complete network isolation. They also advise implementing a DNS firewall to filter outbound DNS traffic. Jason Soroko, a senior fellow at Sectigo, emphasized that "Operating within a VPC provides the necessary infrastructure for robust network isolation, allowing teams to implement strict security groups, network ACLs, and Route53 Resolver DNS Firewalls."

LangSmith and SGLang Face Critical Exploits

Beyond the Bedrock revelations, two other prominent AI tools, LangSmith and SGLang, are grappling with their own severe vulnerabilities. Miggo Security disclosed a high-severity security flaw in LangSmith (CVE-2026-25750), affecting both self-hosted and cloud deployments. This vulnerability, rated 8.5 on the CVSS scale, stems from a lack of validation on the `baseUrl` parameter, allowing for URL parameter injection.

A third flaw (CVE-2026-3989), rated 7.8, involves insecure deserialization in a crash dump replay utility. The CERT Coordination Center (CERT/CC) advises SGLang users to restrict access to service interfaces and implement network segmentation and access controls. This prevents unauthorized interaction with ZeroMQ endpoints and protects against potential compromises.

What This Means For You

1

Developers & Architects

For Bedrock AgentCore Code Interpreter, immediately migrate critical workloads from Sandbox mode to VPC mode. Implement Route53 Resolver DNS Firewalls to scrutinize outbound DNS traffic. Security Teams: Rigorously audit IAM roles attached to AI interpreters, strictly enforcing the principle of least privilege to minimize the potential blast radius of any compromise. Ensure proactive monitoring for unexpected outbound connections from AI processes. LangSmith Users: Verify your LangSmith deployment is updated to version 0.12.71 or newer to patch CVE-2026-25750. Educate users about the risks of clicking suspicious links that may attempt token theft or account takeover. SGLang Users: Restrict network exposure for multimodal generation and encoder parallel disaggregation features. Implement robust network segmentation and access controls around ZeroMQ endpoints to prevent unauthenticated remote code execution.

FAQ

Critical vulnerabilities have been discovered in Amazon Bedrock, LangSmith, and SGLang, potentially leading to data exfiltration and remote code execution. Specifically, Amazon Bedrock's Code Interpreter sandbox allows data exfiltration via DNS queries, LangSmith suffered a high-severity URL injection flaw enabling account takeover, and SGLang contains unpatched remote code execution vulnerabilities through unsafe pickle deserialization.

Attackers can exploit a flaw in Amazon Bedrock's Code Interpreter sandbox that permits outbound DNS queries, even when configured for "no network access." This allows them to bypass network isolation and establish command-and-control channels to exfiltrate sensitive information by encoding it within DNS requests. If the AI's IAM role has excessive permissions, attackers could gain an interactive reverse shell and execute commands stealthily.

Amazon has acknowledged the DNS exfiltration behavior in Bedrock but considers it "intended functionality" rather than a defect. They recommend that customers use VPC mode instead of sandbox mode for complete network isolation. AWS also advises implementing a DNS firewall to filter outbound DNS traffic as an additional security measure.

LangSmith has a high-severity URL injection vulnerability (CVE-2026-25750) that affects both self-hosted and cloud deployments. This flaw, rated 8.5 out of 10 in severity, can lead to account takeover, potentially allowing attackers to compromise user accounts and access sensitive data within the LangSmith platform.

Organizations should reassess their configurations of AI platforms like Amazon Bedrock, LangSmith, and SGLang and implement stronger protective measures. For Bedrock, using VPC mode and DNS firewalls is crucial. Input validation and network isolation should be prioritized across all AI agent deployments to prevent data exfiltration and remote code execution.

Topics
Amazon

Related Articles

More insights on trending topics and technology

Cursor, Claude Code, Codex Unite in Unplanned AI Stack
AI
5 min read

Cursor, Claude Code, Codex Unite in Unplanned AI Stack

Meta Ignites AI with Muse Spark MSL
AI
3 min read

Meta Ignites AI with Muse Spark MSL

Project Glasswing Fortifies AI's Software Defenses
Cybersecurity
4 min read

Project Glasswing Fortifies AI's Software Defenses

Project Glasswing Fortifies AI's Software Defenses
AI
4 min read

Project Glasswing Fortifies AI's Software Defenses

AMD AI Director Blasts 'Dumber' Claude Code
AI
3 min read

AMD AI Director Blasts 'Dumber' Claude Code

AMD AI Director Blasts 'Dumber' Claude Code
Developer Tools
3 min read

AMD AI Director Blasts 'Dumber' Claude Code

AI Startups Stop Retail's Invisible Profit Leaks
AI
4 min read

AI Startups Stop Retail's Invisible Profit Leaks

AI Startups Stop Retail's Invisible Profit Leaks
Startups
4 min read

AI Startups Stop Retail's Invisible Profit Leaks

Newsletter

Stay informed without the noise.

Daily AI updates for builders. No clickbait. Just what matters.