Anthropic’s Claude Code AI Assistant Plagued by Critical Sandbox Bypass for Over Five Months
Anthropic’s Claude Code AI coding assistant contained a severe network sandbox bypass vulnerability for more than five months, enabling attackers to exfiltrate sensitive data including credentials, source code, and environment variables from developer systems. Security researcher Aonan Guan disclosed a second complete sandbox bypass, describing it as a systemic implementation flaw rather than an isolated bug.
The vulnerability, a SOCKS5 hostname null-byte injection, affected all Claude Code releases from v2.0.24 (October 20, 2025) to v2.1.89, spanning roughly 130 versions over 5.5 months. Anthropic silently patched the issue in v2.1.90 (April 1, 2026) without acknowledging the security fix in release notes.
The exploit leveraged a parser differential between JavaScript and the underlying C library (libc). Claude Code’s sandbox used a JavaScript endsWith() check to validate hostnames against an allowlist (e.g., *.google.com). Attackers crafted hostnames like attacker-host.com\x00.google.com JavaScript approved the connection due to the trailing .google.com, while libc’s getaddrinfo() resolved the domain up to the null byte (\x00), redirecting traffic to attacker-host.com.
When combined with prompt injection attacks, the bypass became particularly dangerous. Malicious instructions embedded in GitHub issues, READMEs, or documentation could trigger attacker-controlled code inside the sandbox, exfiltrating:
- AWS credentials (
~/.aws/) - GitHub tokens (
~/.config/gh/) - Cloud instance metadata (from
169.254.169.254) - Internal API endpoints and corporate intranet resources
- Environment variables and model API keys
The vulnerability was introduced due to missing input sanitization in sandbox-runtime <= 0.0.42, which passed raw SOCKS5 DOMAINNAME bytes directly into the matcher without rejecting null bytes, length limits, or non-DNS characters. The fix in sandbox-runtime 0.0.43 added an isValidHost() wrapper to block \x00, %, CRLF, and other malicious characters.
This incident follows a prior sandbox bypass (CVE-2025-66479), where an allowedDomains: [] configuration intended to block all outbound traffic was misinterpreted as "allow everything" due to a flawed allowedDomains.length > 0 check. Anthropic silently patched that issue in v2.0.55 (November 26, 2025), the same release that still included the SOCKS5 null-byte injection.
Despite Guan’s disclosure via HackerOne (#3646509), Anthropic closed the report as a duplicate and has not assigned a CVE for the SOCKS5 bypass. CVE-2025-66479 remains the only recorded CVE for either sandbox flaw, and it was issued against sandbox-runtime, not Claude Code itself. Anthropic’s security advisories page lists no sandbox vulnerabilities.
Users are advised to update to Claude Code v2.1.90 or later. Those who ran wildcard allowlists on credential-bearing systems between October 20, 2025, and their upgrade date should audit outbound SOCKS-mediated traffic logs and rotate exposed credentials.
Source: https://cybersecuritynews.com/claude-codes-network-sandbox-vulnerability/
Anthropic cybersecurity rating report: https://www.rankiteo.com/company/anthropicresearch
"id": "ANT1779337466",
"linkid": "anthropicresearch",
"type": "Vulnerability",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Developers using Claude Code '
'v2.0.24 to v2.1.89',
'industry': 'Artificial Intelligence / Software '
'Development',
'name': 'Anthropic',
'type': 'Company'}],
'attack_vector': 'SOCKS5 hostname null-byte injection',
'customer_advisories': 'Users of affected versions should update immediately '
'and audit systems for compromise',
'data_breach': {'data_exfiltration': 'Yes (via attacker-controlled domains)',
'personally_identifiable_information': 'Yes (via exposed '
'credentials and '
'environment '
'variables)',
'sensitivity_of_data': 'High (AWS credentials, GitHub tokens, '
'cloud instance metadata)',
'type_of_data_compromised': ['Credentials',
'Source code',
'Environment variables',
'Internal API endpoints',
'Corporate intranet resources',
'Model API keys']},
'date_detected': '2026-04-01',
'date_resolved': '2026-04-01',
'description': 'Anthropic’s Claude Code AI coding assistant contained a '
'severe network sandbox bypass vulnerability for more than '
'five months, enabling attackers to exfiltrate sensitive data '
'including credentials, source code, and environment variables '
'from developer systems. The vulnerability, a SOCKS5 hostname '
'null-byte injection, affected all Claude Code releases from '
'v2.0.24 (October 20, 2025) to v2.1.89, spanning roughly 130 '
'versions over 5.5 months. Anthropic silently patched the '
'issue in v2.1.90 (April 1, 2026) without acknowledging the '
'security fix in release notes.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'silent patching and lack of '
'transparency',
'data_compromised': 'Credentials (AWS, GitHub tokens), source '
'code, environment variables, internal API '
'endpoints, corporate intranet resources, '
'model API keys',
'identity_theft_risk': 'High (exposure of personally identifiable '
'information via credentials and '
'environment variables)',
'operational_impact': 'Potential unauthorized access to sensitive '
'corporate resources',
'systems_affected': 'Developer systems running Claude Code v2.0.24 '
'to v2.1.89'},
'investigation_status': 'Resolved (silently patched)',
'lessons_learned': 'Systemic implementation flaws in sandboxing can lead to '
'prolonged exposure; input sanitization is critical for '
'security controls; silent patching undermines trust and '
'transparency.',
'post_incident_analysis': {'corrective_actions': ['Added isValidHost() '
'wrapper to block malicious '
'characters',
'Fixed allowlist logic in '
'sandbox-runtime 0.0.43'],
'root_causes': ['Missing input sanitization in '
'SOCKS5 hostname validation',
'Parser differential between '
'JavaScript and libc '
'(getaddrinfo())',
'Flawed allowlist logic in '
'sandbox-runtime <= 0.0.42']},
'recommendations': ['Update to Claude Code v2.1.90 or later',
'Rotate all exposed credentials (AWS, GitHub, etc.)',
'Audit outbound SOCKS-mediated traffic logs for '
'suspicious activity',
'Implement stricter input validation in security-critical '
'components',
'Avoid silent patching; disclose vulnerabilities '
'transparently to users'],
'references': [{'source': 'HackerOne Report',
'url': 'https://hackerone.com/reports/3646509'}],
'response': {'communication_strategy': 'No security advisory issued; patch '
'not acknowledged in release notes',
'containment_measures': 'Silent patch in v2.1.90 (April 1, 2026)',
'enhanced_monitoring': 'Users advised to audit outbound '
'SOCKS-mediated traffic logs',
'recovery_measures': 'Users advised to update to v2.1.90 or '
'later and rotate exposed credentials',
'remediation_measures': 'Added isValidHost() wrapper in '
'sandbox-runtime 0.0.43 to block '
'malicious characters (\\x00, %, CRLF)'},
'stakeholder_advisories': 'Users advised to update and rotate credentials; no '
'official advisory issued by Anthropic',
'title': 'Anthropic’s Claude Code AI Assistant Plagued by Critical Sandbox '
'Bypass for Over Five Months',
'type': 'Sandbox Bypass',
'vulnerability_exploited': 'Parser differential between JavaScript and libc '
'(getaddrinfo())'}