AWS Bedrock tool vulnerability allows data exfiltration via DNS leaks

Per HackRead, cybersecurity researchers uncovered a significant vulnerability within Amazon Web Services (AWS) Bedrock AgentCore Code Interpreter. This flaw could potentially enable attackers to exfiltrate sensitive company data by exploiting how the tool handles DNS queries within its sandbox environment.

Researchers from BeyondTrust's Phantom Labs discovered that while AWS Bedrock's sandbox mode is designed to isolate AI code execution, it permits DNS queries for A and AAAA records. Attackers can embed stolen data or commands within these DNS requests, effectively bypassing the intended isolation. The team demonstrated a proof-of-concept system that allowed two-way communication with the AI, exfiltrating data through these queries.

AWS was alerted in September 2025, but a fix released in November was pulled due to technical issues. By December, AWS opted to update documentation rather than re-release a patch, assigning the flaw a severity score of 7.5 out of 10.

“We would like to thank researcher Kinnaird McQuade for their report, which prompted us to update our documentation to provide additional clarity regarding Sandbox Mode functionality,” said an AWS spokesperson. 

Experts advise organizations to migrate critical data from Sandbox mode to VPC mode and rigorously audit IAM roles to enforce the principle of least privilege.

Source: HackRead