Back

Critical Bypass Vulnerability in Anthropic Claude Code Sandbox Exposes User Data

Severity: High (Score: 67.5)

Sources: Theregister, oddguan.com

Published: 2026-05-20 · Updated: 2026-05-21

Keywords: sandbox, code, claude, anthropic, time, network, allow

Severity indicators: data exfiltration, exfiltration, rat

Summary

Anthropic's Claude Code sandbox has been found to have a critical bypass vulnerability that allows attackers to exfiltrate data by exploiting a flaw in the SOCKS5 proxy configuration. This vulnerability, identified as CVE-2025-66479, allows malicious actors to send data from within the sandbox to any server on the internet by manipulating hostname filtering. The issue stems from incorrect implementation of allowlist checks, where an empty allowlist was interpreted as open access. Users who configured their sandbox with an empty allowlist between October 2025 and April 2026 were particularly at risk, as the sandbox effectively had no network restrictions. The flaw was first reported in December 2025 and patched in early 2026, but no CVE was assigned to the main product, Claude Code, leaving many users unaware of the risk. The vulnerability's impact is compounded when combined with prompt injection attacks, enabling further exploitation. Current status indicates that the vulnerability has been patched, but the lack of communication from Anthropic raises concerns about user awareness. Key Points: • CVE-2025-66479 allows data exfiltration from Claude Code's sandbox via a SOCKS5 proxy flaw. • The vulnerability was present from October 2025 until April 2026, affecting users with empty allowlists. • Anthropic did not assign a CVE to the main product, leaving users unaware of the critical risk.

Detailed Analysis

**Impact** Users of Anthropic Claude Code running versions from 2.0.24 (sandbox GA on 2025-10-20) through 2.1.89 were affected, exposing potentially all sandbox-accessible data to exfiltration for approximately 5.5 months. This includes credential-bearing systems using wildcard allowlists (e.g., *.google.com), impacting sectors relying on AI coding assistants for sensitive development tasks globally. The vulnerability allowed attackers to bypass network restrictions silently, risking exposure of source code, cloud credentials, internal APIs, and GitHub tokens without user awareness. **Technical Details** The primary attack vector is a null-byte injection in SOCKS5 proxy hostname filtering, exploiting inconsistent string handling between JavaScript endsWith() checks and OS-level DNS resolution. This bypasses wildcard allowlists by truncating hostnames at the null byte, enabling unauthorized outbound connections. The earlier flaw (CVE-2025-66479) involved logic errors where allowedDomains: [] was interpreted as no restrictions rather than complete block, disabling network isolation. Both vulnerabilities affect Claude Code’s sandbox-runtime library and the product itself, with fixes delivered in sandbox-runtime 0.0.43 and Claude Code 2.1.90. No malware or IOCs were reported. **Recommended Response** Immediately upgrade Claude Code to version 2.1.90 or later and sandbox-runtime to 0.0.43 or later to apply the null-byte and logic bypass fixes. Review and avoid using wildcard allowlists in sandbox network policies until patched. Monitor outbound network traffic for anomalous connections, especially those involving SOCKS5 proxies, and audit logs for unexpected DNS queries containing null bytes or suspicious hostnames. Since no public advisories were issued, ensure internal communication informs users of this risk and remediation steps.

Source articles (3)

  • Second Time Same Sandbox Anthropic Claude Code Network Allowlist Bypass Data Exfiltration — oddguan.com · 2026-05-20
    The first time, the sandbox heard “allow nothing” and did “allow everything” ( CVE-2025-66479 ). This time, an attacker who runs code inside the sandbox can defeat any wildcard allowlist (e.g. *.googl…
  • Even Claude agrees: hole in its sandbox was real and dangerous — Theregister · 2026-05-20
    Two now-patched bypass bugs in Claude Code’s network sandbox put users at risk, and one of these allows baddies to send anything inside the sandbox - credentials, source code, other private data - to…
  • Anthropic Sandbox Cve 2025 66479 — oddguan.com · 2026-05-20
    allowedDomains: [] , “Empty array = no network access.” — Anthropic Sandbox Runtime Documentation The implementation did not match the documentation. When I configured Claude Code’s sandbox with allow…

Timeline

  • 2025-10-20 — Claude Code sandbox goes GA: Anthropic released Claude Code with a new sandbox mode, which contained critical vulnerabilities.
  • 2025-12-02 — CVE-2025-66479 published: CVE-2025-66479 was issued against the sandbox-runtime library, highlighting a critical flaw.
  • 2025-12-17 — CVE-2025-68143 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-01 — Patch released for Claude Code: Anthropic released Claude Code v2.1.90, which included fixes for the identified vulnerabilities.
  • 2026-05-20 — Researcher reports ongoing risks: Researcher Anoan Guan highlights the lack of CVEs for the main product and potential user risks.

CVEs

  • CVE-2025-66479
  • CVE-2025-68143

Related entities

  • Data Breach (Attack Type)
  • Data Exfiltration (Attack Type)
  • Anthropic (Company)
  • anthropic.com (Domain)
  • attacker-host.com (Domain)
  • oddguan.com (Domain)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Claude Code (Tool)
  • Netcat (Tool)
  • GitHub (Platform)
  • Linux (Platform)
  • MacOS (Platform)
  • Sandbox-runtime (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed