GHSA-9j7f-3r4p-pwh6MediumCVSS 5.2Disclosed before NVD

nono-py vulnerable to authorization bypass / policy confusion

Published
June 26, 2026
Last Modified
June 26, 2026

📋 Description

The python API made a restrictive-looking configuration unsafe by default. A caller could configure only reverse- proxy credential routes, put the child in CapabilitySet.proxy_only, and reasonably expect network access to be limited to those routes. Instead, because empty allowed_hosts meant allow-all inside nono-proxy, the child could use the local proxy as a transparent CONNECT tunnel to non-route nominated hosts (not including metadata endpoints).

That is an authorization bypass / policy confusion issue:

  • Intended policy: route-only proxy access.
  • Actual policy: route-only plus arbitrary transparent CONNECT.
  • Boundary crossed: sandboxed child gains broader outbound network reach than the Python policy appears to grant.
  • Impact depends on environment, but it can allow exfiltration or access to unintended internet/internal services through the unsandboxed proxy.

This should be classified as medium severity by default, potentially high if users rely on route-only configs for strict egress control around untrusted code or sensitive credentials. The fix is security-relevant because it changes the default from implicit allow-all to explicit opt-in.

🎯 Affected products1

  • pip/nono-py:<= 0.10.1

🔗 References (3)