A security investigation by Marco Figueroa, GenAI bug bounty program manager at Mozilla’s 0Din (0Day Investigative Network), has exposed critical weaknesses in ChatGPT’s sandboxed code execution environment. The research, published in November 2024, demonstrates that an attacker — or a curious user — can interact with the sandbox’s underlying Linux filesystem, read internal configuration files, and execute arbitrary Python code, all through crafted prompt inputs. OpenAI acknowledged the findings but classified sandboxed code execution as intended functionality rather than a vulnerability.
Findings: What the Sandbox Exposes
The 0Din research identified five categories of security issues in ChatGPT’s sandbox implementation:
- Filesystem access via Linux commands: Standard shell commands passed through the prompt can enumerate and read directories within the sandbox, including the sensitive
/home/sandbox/.openai_internal/path, which contains system configuration data. - Arbitrary Python execution: The sandbox allows uploading and running Python scripts from the
/mnt/datadirectory. Figueroa did not attempt a sandbox escape, but noted the execution surface creates meaningful risk. - System instruction disclosure: Through prompt engineering, it is possible to retrieve ChatGPT’s internal “playbook” — the operational instructions that govern the chatbot’s responses and constrain its behavior. Leaking these instructions can aid in crafting bypasses of safety filters.
- Knowledge file extraction: Custom GPT knowledge files uploaded by operators can be enumerated and downloaded from within the sandbox environment.
- Code injection via crafted inputs: Specially structured prompts can redirect code execution in ways not anticipated by the sandbox’s intended isolation model.
OpenAI’s Position and Industry Reaction
OpenAI’s official documentation describes code execution as a sandboxed Code Interpreter environment, so the core dispute is not whether Python can run, but whether internal paths, system instructions, and uploaded knowledge files should be reachable from that environment. Figueroa argues that even if code execution is intentional, information disclosure and policy bypass risks still matter for enterprise deployments that rely on custom GPTs and uploaded files.
Enterprises and developers relying on ChatGPT custom GPTs
The findings are most relevant to:
- Enterprises and developers using ChatGPT with custom GPTs or uploaded knowledge files — those files can potentially be extracted by users interacting with the GPT.
- Organizations relying on system instructions to enforce behavior policies or restrict ChatGPT’s responses — those instructions can be disclosed through prompt engineering.
- Security teams evaluating AI platforms for deployment in sensitive environments, where sandbox isolation is a prerequisite.
Standard ChatGPT users without custom configurations face lower risk, but the unrestricted filesystem access within the sandbox environment affects all users of the code execution feature.
Securing your ChatGPT deployment against sandbox exposure
- Treat system instructions as potentially disclosable. Do not embed secrets, API keys, or proprietary logic in ChatGPT system prompts — assume they can be retrieved by a motivated user.
- Audit custom GPT knowledge files. Do not upload documents containing confidential data to custom GPTs; assume file contents are accessible from within the sandbox.
- Follow OpenAI’s security advisories for any updates to sandbox isolation controls or changes to the bug bounty scope.
- Report anomalous behavior via the 0Din program — Mozilla’s GenAI bug bounty offers up to $15,000 for critical AI vulnerability disclosures and actively tracks ChatGPT and similar platforms.
The core takeaway from Figueroa’s research is that AI sandboxes should not be treated as security boundaries in the traditional sense. Until OpenAI formally restricts filesystem introspection and system instruction retrieval, operators should design their ChatGPT deployments on the assumption that sandbox contents are observable — and avoid storing anything sensitive inside them.
