Claude Code Sandbox Flaw Exposes User Credentials & Source Code

For over five months, Anthropic’s Claude Code AI coding assistant harbored a critical network sandbox bypass. This vulnerability allowed attackers to exfiltrate credentials, source code, and environment variables from developer systems. Despite the severity, the company has issued no public advisory for either incident.

Security researcher Aonan Guan has publicly disclosed a second complete bypass of Claude Code’s network sandbox, marking what he describes as a consistent implementation failure rather than an isolated bug.

The vulnerability, a SOCKS5 hostname null-byte injection, affected every Claude Code release from v2.0.24 (sandbox GA on October 20, 2025) through v2.1.89, spanning approximately 130 published versions over roughly 5.5 months.

Anthropic silently patched the issue in v2.1.90 on April 1, 2026, with no mention of a security fix in the release notes.

This follows the first sandbox bypass (CVE-2025-66479), in which configuring allowedDomains: [] intended to block all outbound traffic was misread by Claude Code as “allow everything” due to a flawed allowedDomains.length > 0 check.

That bug was silently fixed in v2.0.55 on November 26, 2025 — the same release that still shipped the SOCKS5 null-byte injection.oddguan+1

Claude Code’s Network Sandbox Vulnerability

The attack exploits a parser differential between JavaScript and the underlying C library (libc).

Claude Code’s sandbox routes outbound traffic through a SOCKS5 proxy that uses a JavaScript endsWith() check to validate hostnames against the user’s allowlist (e.g., *.google.com).

An attacker crafts a hostname like attacker-host.comx00.google.com — the JavaScript filter sees the trailing .google.com and approves the connection, while libc‘s getaddrinfo() terminates at the null byte (x00) and resolves attacker-host.com, the blocked host.theregister+1

The vulnerable code in sandbox-runtime <= 0.0.42 passed raw DOMAINNAME bytes directly from a SOCKS5 CONNECT request into the matcher with no null-byte rejection, no length cap, and no character whitelist.

The fix in sandbox-runtime 0.0.43 introduced an isValidHost() wrapper that rejects x00, %, CRLF, and other non-DNS characters before the matcher runs.

The bypass becomes especially dangerous when paired with prompt injection attacks.

A malicious instruction hidden in a GitHub issue comment, README, or documentation file that Claude Code reads can trigger attacker-controlled code inside the sandbox. Until v2.1.90, that code could exploit this bypass to silently exfiltrate:

• AWS credentials from ~/.aws/ and GitHub tokens from ~/.config/gh/
• Cloud instance metadata from 169.254.169.254
• Internal API endpoints and corporate intranet resources.
• Environment variables and model API keys — all transmitted via raw SOCKS5, bypassing standard HTTP egress logs.

Anthropic closed Guan’s HackerOne report (#3646509) as a duplicate and, as of May 10, 2026, had not published a CVE for the SOCKS5 bypass in either the NVD or the GitHub Advisory Database.

CVE-2025-66479 remains the only CVE on record for either sandbox finding, and it was issued against sandbox-runtime, not Claude Code itself.

The Claude Code security advisories page lists no sandbox vulnerabilities. Users should update to Claude Code v2.1.90 or later immediately (claude --version to verify).

Anyone who ran a wildcard allowlist on a credential-bearing system between October 20, 2025, and their upgrade date should audit outbound SOCKS-mediated traffic logs and rotate all reachable credentials.

As the researcher notes, treat the vendor sandbox as defense-in-depth, not as a security boundary, and enforce egress controls at the network or hypervisor level outside the agent’s reach.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.