CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 21, 2026

Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code

Cybersecurity News Archived May 21, 2026 ✓ Full text saved

Anthropic’s Claude Code AI coding assistant harbored a critical network sandbox bypass for over five months, allowing attackers to exfiltrate credentials, source code, and environment variables from developer systems, and the company issued no public advisory for either incident. Security researcher Aonan Guan has publicly disclosed a second complete bypass of Claude Code’s network sandbox, […] The post Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code appeared

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code By Guru Baran May 21, 2026 Anthropic’s Claude Code AI coding assistant harbored a critical network sandbox bypass for over five months, allowing attackers to exfiltrate credentials, source code, and environment variables from developer systems, and the company issued no public advisory for either incident. Security researcher Aonan Guan has publicly disclosed a second complete bypass of Claude Code’s network sandbox, marking what he describes as a consistent implementation failure rather than an isolated bug. The vulnerability, a SOCKS5 hostname null-byte injection, affected every Claude Code release from v2.0.24 (sandbox GA on October 20, 2025) through v2.1.89, spanning approximately 130 published versions over roughly 5.5 months. Anthropic silently patched the issue in v2.1.90 on April 1, 2026, with no mention of a security fix in the release notes. This follows the first sandbox bypass (CVE-2025-66479), in which configuring allowedDomains: [] intended to block all outbound traffic was misread by Claude Code as “allow everything” due to a flawed allowedDomains.length > 0 check. That bug was silently fixed in v2.0.55 on November 26, 2025 — the same release that still shipped the SOCKS5 null-byte injection.oddguan+1 Claude Code’s Network Sandbox Vulnerability The attack exploits a parser differential between JavaScript and the underlying C library (libc). Claude Code’s sandbox routes outbound traffic through a SOCKS5 proxy that uses a JavaScript endsWith() check to validate hostnames against the user’s allowlist (e.g., *.google.com). An attacker crafts a hostname like attacker-host.com\x00.google.com — the JavaScript filter sees the trailing .google.com and approves the connection, while libc‘s getaddrinfo() terminates at the null byte (\x00) and resolves attacker-host.com, the blocked host.theregister+1 The vulnerable code in sandbox-runtime <= 0.0.42 passed raw DOMAINNAME bytes directly from a SOCKS5 CONNECT request into the matcher with no null-byte rejection, no length cap, and no character whitelist. The fix in sandbox-runtime 0.0.43 introduced an isValidHost() wrapper that rejects \x00, %, CRLF, and other non-DNS characters before the matcher runs. The bypass becomes especially dangerous when paired with prompt injection attacks. A malicious instruction hidden in a GitHub issue comment, README, or documentation file that Claude Code reads can trigger attacker-controlled code inside the sandbox. Until v2.1.90, that code could exploit this bypass to silently exfiltrate: AWS credentials from ~/.aws/ and GitHub tokens from ~/.config/gh/ Cloud instance metadata from 169.254.169.254 Internal API endpoints and corporate intranet resources. Environment variables and model API keys — all transmitted via raw SOCKS5, bypassing standard HTTP egress logs. Anthropic closed Guan’s HackerOne report (#3646509) as a duplicate and, as of May 10, 2026, had not published a CVE for the SOCKS5 bypass in either the NVD or the GitHub Advisory Database. CVE-2025-66479 remains the only CVE on record for either sandbox finding, and it was issued against sandbox-runtime, not Claude Code itself. The Claude Code security advisories page lists no sandbox vulnerabilities. Users should update to Claude Code v2.1.90 or later immediately (claude --version to verify). Anyone who ran a wildcard allowlist on a credential-bearing system between October 20, 2025, and their upgrade date should audit outbound SOCKS-mediated traffic logs and rotate all reachable credentials. As the researcher notes, treat the vendor sandbox as defense-in-depth, not as a security boundary, and enforce egress controls at the network or hypervisor level outside the agent’s reach. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Critical Canon MailSuite Vulnerability Enables Remote Code Execution Attacks New Malware Framework Enables Screen Control, Browser Artifact Access, and UAC Bypass DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released Microsoft Exchange, Windows 11, and Cursor Zero-Days Exploited on Pwn2Own Day 2 Microsoft Edge Stops Loading Saved Passwords Into Memory at Startup Latest News Cyber Security News Dark Web Brokers Repackage Old Breaches as Fresh Corporate Data Leaks Cyber Security News Hackers Use Fake Income Tax Assessment Pages to Infect Windows Systems Cyber Security News Void Botnet Uses Ethereum Smart Contracts for Seizure-Resistant C2 Infrastructure Cyber Security News Trapdoor Android Ad Fraud Operation Uses 455 Malicious Apps to Generate Fake Clicks Cyber Security News DevilNFC Android Malware Uses Kiosk Mode to Trap Victims During NFC Relay Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 21, 2026
    Archived
    May 21, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗