nono-py’s policy handling has two main issues: (1) resolving a policy-derived ProxyConfig does not automatically enforce CapabilitySet.proxy_only, enabling sandboxed children to bypass domain allowlists by making direct network connections; (2) the policy JSON accepts unknown security-sensitive fields, causing misspelled or unsupported restrictions to be ignored silently. This results in sandboxed processes potentially gaining broader network access than intended by the policy author. On Linux systems lacking Landlock ABI v4 network rules, proxy-only enforcement relies on a seccomp supervisor fallback, requiring explicit coupling of proxy configurations with CapabilitySet.proxy_only. The affected versions are those prior to 0.10.1.

Sandboxed child processes may gain unauthorized network access beyond the configured proxy allowlist, potentially allowing outbound requests to unintended destinations. This broader network access could expose sensitive data depending on the execution environment and workload. The vulnerability does not affect availability but impacts confidentiality and integrity due to possible policy bypass.

A fix is available in nono-py version 0.10.1 and later; users should upgrade to at least version 0.10.1 to address this issue. For users on older Linux kernels without Landlock ABI v4 network rules, ensure that policy-resolved proxy configurations are explicitly coupled with CapabilitySet.proxy_only enforcement, as relying solely on proxy environment variables is insufficient. Patch status is not explicitly confirmed beyond the version indication; users should verify with the vendor advisory for the latest remediation guidance.