Anthropic Silently Patches Claude Code Sandbox Bypass

AI relevance: A second complete network sandbox bypass in Claude Code allowed prompt-injection-driven exfiltration of developer credentials and source code, patched silently with no CVE assigned.

Security researcher Aonan Guan publicly disclosed a SOCKS5 hostname null-byte injection vulnerability that bypassed every Claude Code release from v2.0.24 (sandbox GA, October 2025) through v2.1.89 — roughly 130 versions across 5.5 months. Anthropic patched the issue in v2.1.90 on April 1, 2026 without mentioning a security fix in the release notes.

The attack exploits a parser differential between JavaScript and libc. The sandbox routes outbound traffic through a SOCKS5 proxy and validates hostnames using a JavaScript endsWith() check against the user's allowlist. An attacker crafts a hostname like attacker-host.com\x00.google.com — JavaScript sees the trailing .google.com and approves the connection, while libc's getaddrinfo() terminates at the null byte and resolves the attacker-controlled host.

When chained with indirect prompt injection, the bypass enables:

• Exfiltration of AWS credentials from ~/.aws/ and GitHub tokens from ~/.config/gh/
• Cloud instance metadata access via 169.254.169.254
• Internal API endpoint and corporate intranet resource enumeration
• Environment variable and model API key theft, all transmitted via raw SOCKS5 bypassing HTTP egress logs

This is the second sandbox bypass in Claude Code. The first (CVE-2025-66479) involved an empty allowedDomains: [] being misread as "allow everything" — silently fixed in November 2025. The current finding was closed by Anthropic's HackerOne program as a duplicate, with no CVE issued in NVD or the GitHub Advisory Database. Anthropic's Claude Code security advisories page lists zero sandbox vulnerabilities.

Why it matters

AI coding assistants run with broad filesystem access and developer credentials by default. When the sandbox — the primary isolation mechanism — can be bypassed via a single null byte in a SOCKS5 hostname, any prompt injection becomes a full data exfiltration vector. The absence of a CVE and public advisory means most users have no way to know they were affected for months.

What to do

• Update to Claude Code v2.1.90+ immediately (claude --version to verify)
• If you ran a wildcard allowlist on a credential-bearing system between October 20, 2025 and your upgrade date, rotate all reachable credentials
• Audit outbound SOCKS-mediated traffic logs for suspicious egress
• Treat the vendor sandbox as defense-in-depth, not as a security boundary — enforce egress controls at the network or hypervisor level outside the agent's reach

Sources

• Original disclosure — Aonan Guan
• SecurityWeek coverage
• The Register coverage
• CyberSecurityNews technical breakdown