CVSS 10 Sandbox Escape via Path Traversal in Docker and Singularity Container Environments

A critical path traversal vulnerability affecting Docker and Singularity persistent environments has been identified and patched. The flaw, rated CVSS 10, allows an attacker-controlled `task_id` parameter to redirect sandbox directory bind mounts outside the intended containment boundary, exposing the host filesystem to unauthorized read and write access.

The vulnerability exists in how `DockerEnvironment` and `SingularityEnvironment` constructs host filesystem paths. Both modules concatenate an unvalidated `task_id` into `pathlib.Path` without sanitization. Because `pathlib` honors `..` segments and drops the base path when the right operand is absolute, a malicious `task_id` such as `../../../../var/tmp/hermes_pwn` can redirect the bind mount target to an arbitrary location on the host. When the container starts, both the workspace directory and `/root` are bind-mounted to the redirected path, breaking the sandbox isolation.

Proof-of-concept analysis shows exploitation requires only a single API call: `terminal_tool(command="id", task_id="/tmp/hermes_pwn")` redirects the mount to `/tmp/`. The attack leverages legitimate container functionality rather than a container runtime bug, making detection difficult through standard monitoring. The flaw affects any deployment using persistent task environments where users control `task_id` values.

The fix implements a `_validate_task_id()` function in both affected modules, rejecting any `task_id` containing `..` segments, path separators (`/` or `\`), or absolute path components. Organizations running vulnerable versions should prioritize updating to the patched release. Given the CVSS 10 severity and the simplicity of exploitation, this vulnerability carries significant risk for multi-tenant AI platforms and any environment where containerized workloads process untrusted input.