On Linux kernels lacking Landlock network rules (prior to Linux 6.7), nono-py's sandboxed_exec() function using CapabilitySet.proxy_only(proxy) fails to supervise the seccomp-notify proxy-only fallback. This allows sandboxed child processes to remove proxy environment variables or use raw sockets to establish direct TCP connections outside the proxy restrictions. The vulnerability compromises the intended proxy-only policy that restricts network access to a local proxy enforcing host allowlists and metadata denial. It requires a Linux runtime with kernel <6.7, use of nono-py sandboxed_exec() with proxy_only capability, and a child process that bypasses proxy environment variables or uses raw sockets. macOS proxy enforcement is unaffected. The vulnerability is present in nono-py versions >=0.9.0 and <0.10.1 before the supervised fallback fix.

The vulnerability allows a sandboxed child process to bypass proxy-only network restrictions, enabling direct TCP connections that should be blocked. This can lead to unauthorized access to sensitive network resources such as cloud metadata endpoints (e.g., 169.254.169.254), potentially exposing instance or task credentials. Although the attacker must already have some level of code execution inside the sandbox, this bypass crosses the sandbox boundary and compromises confidentiality. There is no denial-of-service impact, and integrity impact is low since no direct data modification occurs from the bypass itself.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should verify if their nono-py version includes the supervised fallback fix for proxy-only enforcement on Linux kernels without Landlock support. Until a fix is applied, avoid using proxy_only capability on unsupported kernels or ensure sandboxed processes cannot remove proxy environment variables or use raw sockets to bypass restrictions.