Amazon Bedrock and SGLang AI Flaws Enable RCE and Data Exfiltration

New research has identified significant security gaps in the environments used by popular artificial intelligence (AI) platforms to execute code. According to The Hacker News, researchers from BeyondTrust discovered that Amazon Bedrock, LangSmith, and the SGLang framework contain flaws that allow for data exfiltration and RCE through the exploitation of domain name system (DNS) queries and prompt injection.

AI Sandbox Escapes: DNS Exfiltration in Bedrock and SGLang

The most pervasive issue involves the abuse of DNS protocols to bypass traditional network restrictions. In many AI environments, code execution is performed within a sandbox designed to isolate potentially malicious scripts. However, these sandboxes often leave DNS resolution open to facilitate legitimate lookups. BeyondTrust researchers demonstrated that the Amazon Bedrock AgentCore Code Interpreter’s sandbox mode permits outbound DNS queries, which can be weaponized to create a covert C2 channel.

By encoding sensitive data into subdomains of an attacker-controlled domain—such as [encoded-data].attacker.com—an attacker can move information out of the isolated environment without triggering standard firewall alerts. This technique allows for an interactive shell-like experience, effectively facilitating a sandbox escape. Organizations must understand how to detect Amazon Bedrock DNS exfiltration by monitoring for high-frequency or high-entropy DNS requests originating from their AI inference compute instances.

SGLang Remote Code Execution Fix and Prompt Injection

Beyond DNS-based issues, the SGLang framework was found to be vulnerable to RCE via prompt injection. SGLang, a specialized language for programming LLMs, had weaknesses in how it processed external input, allowing malicious users to execute arbitrary commands on the underlying host. The SGLang remote code execution fix involves updating the framework to the latest version, which implements stricter input sanitization and limits the scope of operations allowed within the execution engine.

The research also highlighted flaws in LangSmith, where vulnerabilities could lead to arbitrary file reads or unauthorized data access. These findings underscore a systemic lack of Zero Trust implementation within the burgeoning AI middleware layer. If an attacker gains access to an AI agent that has permissions to execute code, they can leverage these flaws to achieve Lateral Movement within the cloud environment.

Technical Analysis of DNS Tunneling in AI Environments

DNS tunneling is a well-known TTP in the MITRE ATT&CK framework, but its application within AI sandboxes presents unique challenges for SOC teams. Unlike standard web servers, AI agents often generate unpredictable network traffic patterns based on the dynamic nature of LLM outputs. This makes identifying anomalous IoC signatures more difficult.

In the case of Amazon Bedrock, the lack of strict egress filtering on UDP port 53 allows the code interpreter to communicate with any external nameserver. Analysts should prioritize Amazon Bedrock sandbox RCE mitigation by enforcing strict network security groups that block all outbound traffic except to validated internal endpoints. Furthermore, implementing a SIEM rule to alert on non-standard DNS query lengths can provide early warning of exfiltration attempts.

Mitigation Strategies

To secure AI-driven workflows against these vulnerabilities, security teams should implement the following controls:

• Egress Filtering: Block all outbound traffic from AI code execution sandboxes by default. If DNS is required, route it through a hardened internal recursive resolver that performs threat filtering.
• Input Validation: Use robust sanitization for all user-provided prompts before they are passed to frameworks like SGLang to prevent injection-based RCE.
• Environment Isolation: Run AI execution components in short-lived, ephemeral containers with no access to sensitive metadata services or internal network segments.
• Monitoring: Integrate AI platform logs into existing EDR or security monitoring tools to track the execution of unauthorized system calls or suspicious network activity.