๐Ÿ›ก๏ธ NAIL Institute โ€” AVE Database

โ† Back to Database

Fail-Open Sandbox Degradation

๐Ÿ”ด CRITICAL structural proven AVE-2025-0102

ยท aka: Silent Sandbox Bypass, Docker Fallback Exploitation, Sandbox Downgrade Attack

Summary

Code execution sandboxes silently degrade to insecure fallback modes when the underlying isolation mechanism (Docker, container runtime) becomes unavailable. No user notification, consent, or logging occurs during degradation.

Blast Radius

Full host-level arbitrary code execution. In multi-agent deployments, one agent can exhaust Docker resources to force other agents into the insecure fallback.

Prerequisites

Agent with code execution capability (allow_code_execution=True or CodeInterpreter tool). Docker unavailable or stoppable.

Environment

  • Frameworks: CrewAI, smolagents
  • Multi-agent: Yes
  • Tools required: Yes
  • Memory required: No

Known Defences

  • Fail-Closed Architecture โ€” ? layer
  • Runtime Isolation Verification โ€” ? layer

๐Ÿ”’ Full defence implementations available through the NAIL SDK.

Related

  • AVE-2025-0017
  • AVE-2025-0033
  • CWE: CWE-636 (Not Failing Securely / Fail Open), CWE-94 (Code Injection), CWE-749 (Exposed Dangerous Method)