Back

Critical Sandbox Bypass in Claude Code Exposes User Data

Severity: High (Score: 71.0)

Sources: Theregister, Cybersecuritynews, Letsdatascience, Gbhackers, oddguan.com

Published: 2026-05-20 · Updated: 2026-05-21

Keywords: sandbox, code, claude, anthropic, time, network, allow

Severity indicators: data exfiltration, exfiltration, rat

Summary

Anthropic's Claude Code AI platform has been found to have a critical network sandbox bypass vulnerability, allowing attackers to exfiltrate sensitive data, including user credentials and source code. Discovered by researcher Aonan Guan, this flaw is the second complete bypass identified within six months. The attack method involves a SOCKS5 hostname null-byte injection that tricks the sandbox's allowlist filter. This vulnerability existed for over five months without a public advisory or CVE for the main product, only affecting the underlying sandbox-runtime library. The first bypass was documented as CVE-2025-66479, published on December 4, 2025. Users who configured the sandbox with wildcard allowlists were particularly at risk, as the sandbox failed to enforce network restrictions as documented. The issue has raised significant concerns about the reliability of the sandboxing mechanism in AI-assisted coding tools. Key Points: • Claude Code's sandbox bypass allows exfiltration of sensitive user data. • The vulnerability was active for over five months without a public advisory. • A second bypass was discovered, raising concerns about the security of AI coding tools.

Detailed Analysis

**Impact** Developers and organizations using Anthropic’s Claude Code AI coding assistant with its network sandbox feature are affected, particularly those employing wildcard allowlists (e.g., *.google.com) on credential-bearing systems. The vulnerability existed from the sandbox’s GA release on 2025-10-20 through 2026-04-01, a period of approximately 5.5 months, during which attackers could exfiltrate credentials, source code, environment variables, and internal API data. The issue impacts users globally across sectors relying on Claude Code for secure code execution and data isolation. No public advisory or CVE was issued for Claude Code itself, limiting user awareness of the risk. **Technical Details** The attack exploits two sandbox bypasses: first, a logic flaw where allowedDomains: [] (empty array) was interpreted as allowing all network access (CVE-2025-66479, assigned only to the sandbox-runtime library), and second, a SOCKS5 proxy hostname null-byte injection that bypasses wildcard allowlists by truncating hostnames at the null byte. This enables an attacker running code inside the sandbox, often via prompt injection, to exfiltrate data through the host’s network proxy with full privileges. The kill chain involves initial code execution inside the sandbox, followed by network egress bypass via malformed SOCKS5 requests. The flaw was fixed in sandbox-runtime v0.0.43 and Claude Code v2.1.90. **Recommended Response** Apply the latest Claude Code update (v2.1.90 or later) which includes the fix rejecting null bytes and other invalid characters in hostnames. Ensure sandbox-runtime is updated to at least v0.0.43. Review and harden allowedDomains configurations, avoiding wildcard entries where possible. Monitor network egress from sandboxed processes for anomalous SOCKS5 CONNECT requests containing null bytes or unexpected hostnames. In absence of vendor advisories, maintain vigilance on third-party reports and audit sandbox configurations regularly.

Source articles (6)

  • Second Time Same Sandbox Anthropic Claude Code Network Allowlist Bypass Data Exfiltration — oddguan.com · 2026-05-20
    The first time, the sandbox heard “allow nothing” and did “allow everything” ( CVE-2025-66479 ). This time, an attacker who runs code inside the sandbox can defeat any wildcard allowlist (e.g. *.googl…
  • Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code — Cybersecuritynews · 2026-05-21
    Anthropic’s Claude Code AI coding assistant harbored a critical network sandbox bypass for over five months, allowing attackers to exfiltrate credentials, source code, and environment variables from d…
  • Claude Code Sandbox Flaw May Compromise User Secrets — Gbhackers · 2026-05-21
    A newly disclosed security flaw in Anthropic’s Claude Code platform has exposed a critical weakness in its network sandbox, potentially allowing attackers to bypass restrictions and exfiltrate sensiti…
  • Anthropic Patches Claude Code Sandbox Bypass | Let's Data Science — Letsdatascience · 2026-05-20
    SecurityWeek, as indexed by ITSecurityNews, reports that Anthropic quietly patched a sandbox bypass affecting Claude Code . According to the reporting, the researcher who discovered the issue said the…
  • Even Claude agrees: hole in its sandbox was real and dangerous — Theregister · 2026-05-20
    Two now-patched bypass bugs in Claude Code’s network sandbox put users at risk, and one of these allows baddies to send anything inside the sandbox - credentials, source code, other private data - to…
  • Anthropic Sandbox Cve 2025 66479 — oddguan.com · 2026-05-20
    allowedDomains: [] , “Empty array = no network access.” — Anthropic Sandbox Runtime Documentation The implementation did not match the documentation. When I configured Claude Code’s sandbox with allow…

Timeline

  • 2025-12-02 — CVE-2025-66479 published: A critical flaw in the sandbox-runtime library was documented, allowing unrestricted network access.
  • 2025-12-17 — CVE-2025-68143 published: Another vulnerability was published, further highlighting security issues in the platform.
  • 2026-04-01 — Claude Code v2.1.90 released: A patch was released addressing the sandbox bypass vulnerabilities identified by researchers.
  • 2026-05-20 — Researcher discloses second bypass: Aonan Guan publicly disclosed a second complete sandbox bypass, emphasizing the lack of advisories from Anthropic.
  • 2026-05-21 — Public awareness raised: Multiple news outlets report on the vulnerabilities, highlighting the risks to users of Claude Code.

CVEs

  • CVE-2025-66479
  • CVE-2025-68143

Related entities

  • Data Breach (Attack Type)
  • Data Exfiltration (Attack Type)
  • Anthropic (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • anthropic.com (Domain)
  • attacker-host.com (Domain)
  • oddguan.com (Domain)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Claude Code (Tool)
  • Netcat (Tool)
  • GitHub (Platform)
  • Linux (Platform)
  • MacOS (Platform)
  • Sandbox-runtime (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed