Overview
- Phantom Labs published a proof-of-concept showing Bedrock AgentCore Code Interpreter can use permitted DNS A and AAAA queries in Sandbox Mode to run commands, list S3 buckets, and exfiltrate full files via a covert command-and-control channel.
- AWS reviewed the findings and updated documentation to note DNS resolution in Sandbox Mode, advising customers to use VPC mode for full isolation and to apply a Route 53 Resolver DNS Firewall for outbound DNS filtering.
- The impact grows when interpreters inherit broad IAM permissions, with the default AgentCore Starter Toolkit role cited as enabling read-all S3 access and full access to Secrets Manager and DynamoDB.
- BeyondTrust rated the issue high risk with a CVSS 7.5 and said AWS acknowledged the report; the researcher disclosed the method in September 2025, AWS briefly deployed a fix in November, then rolled it back and opted for documentation updates by late December.
- Security specialists urge teams to inventory AgentCore interpreters, migrate sensitive workloads to VPC, and enforce least-privilege IAM, warning that prompt injection or compromised libraries could trigger the DNS exfiltration path.