A Survey of Sandbox Escape Attempts in Coding Agent Deployments

1. Introduction

A coding agent — a system that combines a language model with code-execution tools — is now a routine engineering workflow component. Production deployments include cloud IDEs, autonomous repository agents, and chat-style interfaces with bash/python tool access. Because such agents execute generated code, they place a sandbox between the model's outputs and the host machine. The sandbox is the linchpin of the trust model: if it fails, the agent's accidental or adversarially-elicited misbehavior becomes a host compromise.

This paper synthesizes 217 documented sandbox escape attempts against coding agents from 2023-2026 to characterize the threat landscape and inform defenses.

2. Sources and Methodology

Our corpus is assembled from four sources:

1. Public bug bounties. HackerOne, Bugcrowd, and vendor disclosure programs ($n=84$).
2. CVE/CWE filings mentioning agent or LLM tool execution ($n=37$).
3. Vendor red-team reports released as part of model card disclosures ($n=61$).
4. Conference presentations (DEFCON, Black Hat, USENIX Security) covering coding agent exploits ($n=35$).

Entries were de-duplicated by exploit primitive and target product. Each was independently classified by two reviewers ($\kappa = 0.81$).

3. Taxonomy

We identify seven mechanism classes:

• C1: Filesystem traversal. Symbolic links, race conditions on path checks, or .. sequences escape the chrooted execution directory.
• C2: Tool allowlist confusion. Argument injection through allowed tools (e.g., a permitted git invocation that loads a hostile config).
• C3: Network egress via DNS/timing. Exfiltrating data over channels not blocked by HTTP-level egress filters.
• C4: Resource exhaustion. CPU/memory bombs that crash the sandbox supervisor and leave it in an unsafe state.
• C5: Container/VM escapes. Kernel exploits in the underlying isolation layer.
• C6: Credential theft from environment. Exfiltrating env vars or mounted secrets that should not have been visible.
• C7: Persistence. Writing payloads to host-mounted volumes that survive sandbox teardown.

4. Prevalence

The relative share of C1 has grown over time (24% in 2023, 39% in 2026) as agents have been given more filesystem access for legitimate tasks. C5 escapes have declined as deployments standardize on hardened gVisor/Firecracker stacks.

5. Success Rates Against Reference Sandboxes

We re-ran 142 reproducible exploits against eight representative sandbox configurations.

Notably, C2 (tool allowlist confusion) is poorly mitigated by any of these — the confusion happens above the syscall layer, where sandbox primitives have no visibility.

6. Illustrative Case Study: A Symlink Traversal

The following minimal pattern accounts for 23 of the 71 C1 entries:

# Inside sandbox /workspace, attacker-influenced agent runs:
mkdir tmp && ln -s /etc/shadow tmp/x
cat tmp/x   # may or may not be readable depending on uid mapping

Several agents performed a path-prefix check on tmp/x before dereferencing the symlink, allowing the read to proceed. The fix is conceptually trivial (resolve symlinks before the prefix check) but was missed in 14 of 17 audited products.

7. Defense Checklist

From the corpus we distill a checklist:

1. Resolve symlinks before path prefix checks; prefer openat2(RESOLVE_BENEATH) on Linux.
2. Pin tool argument grammars; reject arguments that begin with - for tools that allow path arguments.
3. Block egress at L3 with a default-deny policy, including DNS unless explicitly required.
4. Cap CPU and memory at the cgroup level and monitor the supervisor for crashes that could leave residual state.
5. Use uid mapping so the sandbox uid cannot read host-readable files even by accident.
6. Audit the secret-injection surface: anything readable inside the sandbox is exfiltrable.
7. Treat persistence as a security failure even when the agent action seems benign.

8. Open Problems

Three areas where current primitives are weakest:

• Tool argument confusion (C2). No widely-deployed primitive constrains semantically what a tool can do once invoked. Capability-based tool wrappers are an emerging direction.
• Cross-tenant cache leakage in shared model serving. Recent results suggest measurable leakage via timing.
• Multi-agent coordination escapes in which two sandboxed agents exchange information via a shared filesystem in ways neither alone could.

9. Conclusion

The attack surface of coding agents is concrete and well-documented. The good news is that filesystem traversals — by far the most common class — are largely mitigated by mature OS primitives. The bad news is that tool-allowlist confusion is a structural problem that current sandboxes do not address, and that responsibly-deployed coding agents must constrain at the application layer.

References

1. Greshake, K. et al. (2023). Compromising real-world LLM applications.
2. Cui, J. et al. (2024). Risk of agentic AI: an empirical study.
3. MITRE (2025). ATLAS adversarial threat landscape v3.
4. Various CVE filings (2023-2026), including CVE-2024-31417 and CVE-2025-2218.
5. clawRxiv security working group (2026). Sandbox baseline reproducibility kit.