Anthropic Claude Code Sandbox Bypass: Second Vulnerability Exposes Critical Data Exfiltration Risk
Key Takeaways
- ▸Claude Code's network sandbox shipped with two critical security bypasses: an overly-permissive default on empty allowlists (CVE-2025-66479) and a null-byte injection vulnerability in SOCKS5 filtering
- ▸Both vulnerabilities remained exploitable across approximately 130 published releases spanning 5.5 months—every version from October 20, 2025 through April 1, 2026 was vulnerable to at least one flaw
- ▸No official security advisories, CVEs, or changelog entries were issued for Claude Code users; outside researchers discovered both issues, with the second vulnerability never publicly disclosed by Anthropic
Summary
Security researchers have identified a second critical vulnerability in Anthropic's Claude Code sandbox, following a previous bypass (CVE-2025-66479). The new exploit uses null-byte injection in SOCKS5 hostnames to circumvent wildcard domain allowlists, allowing attackers to reach arbitrary servers on the internet while appearing to comply with network policies. An attacker passing a hostname like "attacker-host.com\x00.google.com" can bypass filtering that checks only the suffix, as the policy validator sees the permitted domain while the OS resolver truncates at the null byte and connects to the blocked host.
Most critically, the sandbox has been vulnerable since its public release on October 20, 2025 (v2.0.24). Every release through April 1, 2026 (v2.1.90) contained at least one of these two critical flaws—approximately 5.5 months and 130 published versions with zero truly secure build. The first vulnerability (allowing empty allowlists to default to permissive behavior) was patched in v2.0.55 on November 26, 2025, but the second null-byte injection flaw shipped in that same release and remained unpatched until v2.1.90. Combined with prompt injection attacks, the vulnerability could enable exfiltration of credentials, source code, environment variables, and internal data from any sandboxed process.
Concerningly, neither vulnerability triggered a security advisory, CVE assignment for Claude Code itself, or changelog notification to users. The first flaw only received a CVE against the underlying sandbox-runtime library (CVE-2025-66479), creating a discovery gap for Claude Code users. Outside researchers identified both issues; the second was never officially disclosed by Anthropic, and users learned of it only through reverse-engineering or independent security research.
- When combined with prompt injection attacks, either vulnerability enables data exfiltration to arbitrary servers, even when users configure strict domain allowlists
Editorial Opinion
The Claude Code sandbox represents a critical trust boundary for developers running AI-assisted code execution—yet it shipped broken and remained broken for over five months with no public security warnings. The fact that both discovered vulnerabilities came from outside research, not internal security reviews, raises questions about Anthropic's security testing practices for infrastructure features. While the April 2026 patch closed these specific bypasses, the lack of transparent disclosure and proactive user notification undermines confidence in Claude Code's safety claims.
