Anthropic’s Claude Code AI coding assistant harbored a critical network sandbox bypass for over five months, silently allowing attackers to exfiltrate developer credentials, source code, and environment variables from affected systems. The company issued no public advisory for either of the two incidents discovered during this period, raising serious questions about responsible disclosure practices in the AI tooling space.
The Vulnerability: SOCKS5 Null-Byte Injection
Security researcher Aonan Guan publicly disclosed a second complete bypass of Claude Code’s network sandbox — a SOCKS5 hostname null-byte injection that affected every Claude Code release from v2.0.24 (sandbox GA on October 20, 2025) through v2.1.89. This spans approximately 130 published versions over roughly 5.5 months.
The attack exploits a parser differential between JavaScript and the underlying C library (libc). Claude Code’s sandbox routes outbound traffic through a SOCKS5 proxy that uses a JavaScript endsWith() check to validate hostnames against the user’s allowlist. An attacker crafts a hostname like attacker-host.com�.google.com — the JavaScript filter sees the trailing .google.com and approves the connection, while libc‘s getaddrinfo() terminates at the null byte and resolves the blocked host instead.
The vulnerable code in sandbox-runtime <= 0.0.42 passed raw DOMAINNAME bytes directly from a SOCKS5 CONNECT request into the matcher with no null-byte rejection, no length cap, and no character whitelist.
What Attackers Could Steal
The bypass becomes especially dangerous when paired with prompt injection attacks. A malicious instruction hidden in a GitHub issue comment, README, or documentation file that Claude Code reads could trigger attacker-controlled code inside the sandbox. Until v2.1.90, that code could exploit this bypass to silently exfiltrate a wide range of sensitive data, including:
- AWS credentials from
~/.aws/and GitHub tokens from~/.config/gh/ - Cloud instance metadata from
169.254.169.254 - Internal API endpoints and corporate intranet resources
- Environment variables and model API keys — all transmitted via raw SOCKS5, bypassing standard HTTP egress logs
- Source code and private repositories accessible in the developer’s environment
A Pattern of Silent Patches
This is the second sandbox bypass discovered in Claude Code. The first (CVE-2025-66479) involved configuring allowedDomains: [] intending to block all outbound traffic being misread as “allow everything” due to a flawed allowedDomains.length > 0 check. That bug was silently fixed in v2.0.55 on November 26, 2025 — the same release that still shipped the SOCKS5 null-byte injection.
Anthropic silently patched the SOCKS5 issue in v2.1.90 on April 1, 2026, with no mention of a security fix in the release notes. As of May 10, 2026, Anthropic had not published a CVE for the SOCKS5 bypass in either the NVD or the GitHub Advisory Database. CVE-2025-66479 remains the only CVE on record for either sandbox finding, and it was issued against sandbox-runtime, not Claude Code itself.
The Fix and What Organizations Should Do
The fix in sandbox-runtime 0.0.43 introduced an isValidHost() wrapper that rejects �, %, CRLF, and other non-DNS characters before the matcher runs. Users should update to Claude Code v2.1.90 or later immediately (run claude --version to verify your installed version).
Organizations that ran a wildcard allowlist on a credential-bearing system between October 20, 2025, and their upgrade date should take the following steps:
- Audit outbound SOCKS-mediated traffic logs for anomalous connections
- Rotate all AWS, GitHub, and API credentials that were accessible in the development environment
- Review Claude Code’s prompt history for any injected instructions from external content sources
- Enforce egress controls at the network or hypervisor level outside the agent’s reach
Implications for AI Development Tools
This incident highlights a systemic challenge in AI coding tools: as these assistants gain access to broader developer environments, their security boundaries become critical infrastructure. When those boundaries fail silently — and vendors do not issue public advisories — developers are left unknowingly exposed for months.
Security experts advise treating any vendor sandbox as defense-in-depth, not as a primary security boundary. Network-level egress controls, credential rotation policies, and regular audits of AI tool permissions are essential components of a robust security posture in environments where AI coding assistants are deployed.