Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code
Cybersecurity NewsArchived May 21, 2026✓ Full text saved
Anthropic’s Claude Code AI coding assistant harbored a critical network sandbox bypass for over five months, allowing attackers to exfiltrate credentials, source code, and environment variables from developer systems, and the company issued no public advisory for either incident. Security researcher Aonan Guan has publicly disclosed a second complete bypass of Claude Code’s network sandbox, […] The post Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code appeared
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
Claude Code’s Network Sandbox Vulnerability Exposes User Credentials and Source Code
By Guru Baran
May 21, 2026
Anthropic’s Claude Code AI coding assistant harbored a critical network sandbox bypass for over five months, allowing attackers to exfiltrate credentials, source code, and environment variables from developer systems, and the company issued no public advisory for either incident.
Security researcher Aonan Guan has publicly disclosed a second complete bypass of Claude Code’s network sandbox, marking what he describes as a consistent implementation failure rather than an isolated bug.
The vulnerability, a SOCKS5 hostname null-byte injection, affected every Claude Code release from v2.0.24 (sandbox GA on October 20, 2025) through v2.1.89, spanning approximately 130 published versions over roughly 5.5 months.
Anthropic silently patched the issue in v2.1.90 on April 1, 2026, with no mention of a security fix in the release notes.
This follows the first sandbox bypass (CVE-2025-66479), in which configuring allowedDomains: [] intended to block all outbound traffic was misread by Claude Code as “allow everything” due to a flawed allowedDomains.length > 0 check.
That bug was silently fixed in v2.0.55 on November 26, 2025 — the same release that still shipped the SOCKS5 null-byte injection.oddguan+1
Claude Code’s Network Sandbox Vulnerability
The attack exploits a parser differential between JavaScript and the underlying C library (libc).
Claude Code’s sandbox routes outbound traffic through a SOCKS5 proxy that uses a JavaScript endsWith() check to validate hostnames against the user’s allowlist (e.g., *.google.com).
An attacker crafts a hostname like attacker-host.com\x00.google.com — the JavaScript filter sees the trailing .google.com and approves the connection, while libc‘s getaddrinfo() terminates at the null byte (\x00) and resolves attacker-host.com, the blocked host.theregister+1
The vulnerable code in sandbox-runtime <= 0.0.42 passed raw DOMAINNAME bytes directly from a SOCKS5 CONNECT request into the matcher with no null-byte rejection, no length cap, and no character whitelist.
The fix in sandbox-runtime 0.0.43 introduced an isValidHost() wrapper that rejects \x00, %, CRLF, and other non-DNS characters before the matcher runs.
The bypass becomes especially dangerous when paired with prompt injection attacks.
A malicious instruction hidden in a GitHub issue comment, README, or documentation file that Claude Code reads can trigger attacker-controlled code inside the sandbox. Until v2.1.90, that code could exploit this bypass to silently exfiltrate:
AWS credentials from ~/.aws/ and GitHub tokens from ~/.config/gh/
Cloud instance metadata from 169.254.169.254
Internal API endpoints and corporate intranet resources.
Environment variables and model API keys — all transmitted via raw SOCKS5, bypassing standard HTTP egress logs.
Anthropic closed Guan’s HackerOne report (#3646509) as a duplicate and, as of May 10, 2026, had not published a CVE for the SOCKS5 bypass in either the NVD or the GitHub Advisory Database.
CVE-2025-66479 remains the only CVE on record for either sandbox finding, and it was issued against sandbox-runtime, not Claude Code itself.
The Claude Code security advisories page lists no sandbox vulnerabilities. Users should update to Claude Code v2.1.90 or later immediately (claude --version to verify).
Anyone who ran a wildcard allowlist on a credential-bearing system between October 20, 2025, and their upgrade date should audit outbound SOCKS-mediated traffic logs and rotate all reachable credentials.
As the researcher notes, treat the vendor sandbox as defense-in-depth, not as a security boundary, and enforce egress controls at the network or hypervisor level outside the agent’s reach.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Critical Canon MailSuite Vulnerability Enables Remote Code Execution Attacks
New Malware Framework Enables Screen Control, Browser Artifact Access, and UAC Bypass
DirtyDecrypt Linux Kernel Vulnerability PoC Exploit Code Released
Microsoft Exchange, Windows 11, and Cursor Zero-Days Exploited on Pwn2Own Day 2
Microsoft Edge Stops Loading Saved Passwords Into Memory at Startup
Latest News
Cyber Security News
Dark Web Brokers Repackage Old Breaches as Fresh Corporate Data Leaks
Cyber Security News
Hackers Use Fake Income Tax Assessment Pages to Infect Windows Systems
Cyber Security News
Void Botnet Uses Ethereum Smart Contracts for Seizure-Resistant C2 Infrastructure
Cyber Security News
Trapdoor Android Ad Fraud Operation Uses 455 Malicious Apps to Generate Fake Clicks
Cyber Security News
DevilNFC Android Malware Uses Kiosk Mode to Trap Victims During NFC Relay Attacks