Blogs on Aonan Guan

Second Time, Same Sandbox: Another Anthropic Claude Code Network Sandbox Bypass Enables Data Exfiltration

Wed, 20 May 2026 00:00:00 +0000

For the second time in five months, Anthropic Claude Code's network sandbox lets a process inside reach hosts the user's policy says to block, and exfiltrate any data the process touches. Every Claude Code release from 2.0.24 (sandbox GA on 2025-10-20) through 2.1.89 was vulnerable to a SOCKS5 hostname null-byte injection. About 5.5 months and ~130 versions, including the release that silently fixed the first sandbox bypass. Both findings ended in a silent fix and no Claude Code security advisory.

Comment and Control: Prompt Injection to Credential Theft in Claude Code, Gemini CLI, and GitHub Copilot Agent

Wed, 15 Apr 2026 00:00:00 +0000

Anthropic Claude Code Security Review, Google Gemini CLI Action, and GitHub Copilot Agent are vulnerable to prompt injection via GitHub comments — turning PR titles, issue bodies, and issue comments into attack vectors for API key and token theft.

Never Wait for Approval — Prompt Injection in Strix AI Pentesting Agent Steals Cloud Credentials

Fri, 03 Apr 2026 00:00:00 +0000

A prompt injection vulnerability in Strix AI pentesting agent enables arbitrary command execution through malicious project files. The tool designed to red-team others gets red-teamed by its own target — cloud credentials exfiltrated through the project you are scanning.

Agent SkillSlip: Path Traversal in Google Gemini CLI, Anthropic Claude Code, and Vercel add-skill

Sun, 08 Mar 2026 00:00:00 +0000

Google Gemini CLI, Anthropic Claude Code, and Vercel add-skill share the same path traversal flaw: the name field in skill metadata is passed to path.join() without validation, enabling VS Code hijacking and SSH key injection — invisible to the user.

Capability Laundering in MCP 3: CVE-2026-27735 Anthropic Git MCP Server git_add Path Traversal to Credential Exfiltration

Sat, 28 Feb 2026 00:00:00 +0000

CVE-2026-27735: MCP Git Server git_add path traversal vulnerability enables credential exfiltration via GitPython's missing boundary validation. A single git_add call reads SSH keys, kubeconfig, and AWS credentials into Git history — invisible in the working directory. Third case of capability laundering in MCP ecosystems.

MCP Bundle Security: Zip Slip and Silent Overwrite Risks for MCPB Developers

Sat, 17 Jan 2026 00:00:00 +0000

MCPB bundles are ZIP files. MCP developers implementing custom extraction must handle ZIP security risks like path traversal, silent overwrite, and symlink attacks.

Capability Laundering in MCP 2: CVE-2025-68143 Anthropic Git MCP Server Path Traversal to Credential Exfiltration

Sun, 28 Dec 2025 00:00:00 +0000

CVE-2025-68143: Anthropic Git MCP Server's git_init bypasses CWD boundaries, enabling attackers to create repositories in sensitive directories and exfiltrate credentials via routine Git tool calls.

Capability Laundering in MCP: Anthropic Memory Server to Terminal Hijacking

Sat, 27 Dec 2025 00:00:00 +0000

A schema validation flaw in Anthropic's Memory MCP Server enables VS Code terminal profile hijacking through capability laundering. Despite being patched, Anthropic declined to assign a CVE and closed the report as 'informative'.

CVE-2025-66479: Anthropic's Silent Fix and the CVE That Claude Code Never Got

Wed, 03 Dec 2025 00:00:00 +0000

A critical sandbox misconfiguration in Anthropic's sandbox-runtime could have left Claude Code users' system at significant risk. Despite fixing the issue silently, Anthropic did not assign a CVE to their flagship product Claude Code.

Click, Parse, Execute - When a GUI Agent's Control Plane Becomes a Remote Control Surface

Thu, 25 Sep 2025 00:00:00 +0000

Discovered a critical RCE vulnerability in Microsoft's OmniParser/OmniTool where an unauthenticated execution surface on the VM controller could allow attackers to remotely control GUI agents. Microsoft assigned CVE-2025-55322 and shipped a fix.

Three Dots to Root: How I Found a Path Traversal in Microsoft's Agentic Web (NLWeb)

Wed, 06 Aug 2025 00:00:00 +0000

Discovered a classic path traversal vulnerability in Microsoft’s new Agentic Web protocol (NLWeb) that could expose sensitive files including API keys, credentials, and configuration files. The vulnerability was particularly critical as it could compromise AI agents’ “cognitive engines” by leaking LLM API keys.

The research was featured in an exclusive interview with The Verge and subsequently covered by 30+ international media outlets across 15+ countries in 10+ languages, including PCWorld, IT Pro, Neowin, Tom’s Guide, CIO Korea, 3DNews Russia, iSpazio Italy, and Dagens AI Denmark.