Anthropic

The first time, the sandbox heard “allow nothing” and did “allow everything” (CVE-2025-66479). This time, an attacker who runs code inside the sandbox can defeat any wildcard allowlist (e.g. *.google.com, *.anthropic.com) with a single null byte in a SOCKS5 hostname: Policy sees: attacker-host.com\x00.google.com -> endsWith(".google.com") == true Resolver sees: attacker-host.com -> actually dials blocked host TL;DR The sandbox has been bypassable since it shipped. Two distinct bugs in Anthropic Claude Code’s network sandbox, both live from sandbox GA on 2025-10-20. Every release from 2.0.24 through 2.1.89 was vulnerable to at least one of them. About 5.5 months and ~130 published versions. There was never a moment when the sandbox actually worked. Finding 1 (CVE-2025-66479, recap): the user copied allowedDomains: [] from the doc to mean “block all outbound traffic.” Claude Code read it as “allow everything.” Patched in v2.0.55 on 2025-11-26, the same release that still shipped Finding 2 below. Finding 2 (this post): SOCKS5 hostname null-byte injection. The user’s policy says allow only *.google.com. The attacker sends a hostname like attacker-host.com\x00.google.com. The filter sees the trailing .google.com and approves; the OS truncates at the null byte and dials attacker-host.com. Silently fixed in v2.1.90 on 2026-04-01. No Claude Code security advisory for either finding. No security note in the changelog, no CVE for Claude Code, no notice to users on the ~130 vulnerable releases. A user finds out only by reverse-engineering cli.js or reading this post. What an attacker gets. Combined with prompt injection (e.g. a hidden instruction in a GitHub issue comment that Claude Code reads), anything inside the sandbox can be sent to any server on the internet. Credentials, source code, environment variables, internal data. Even when the user has restricted egress to a strict wildcard allowlist. The Pattern %%{init: {'theme':'base', 'themeVariables': {'fontSize':'14px','fontFamily':'-apple-system, BlinkMacSystemFont, sans-serif'}}}%% sequenceDiagram participant P as Sandboxed Process participant SOCKS as SOCKS5 Proxy(JS filter, on host) participant DNS as getaddrinfo(libc, on host) participant T as Target P->>SOCKS: CONNECT example.com\x00.google.com:80 Note over SOCKS: hostname.endsWith('.google.com')= true → ALLOW SOCKS->>DNS: resolve(example.com\x00.google.com) Note over DNS: C string terminates at \x00actually resolves "example.com" DNS-->>SOCKS: A record for example.com SOCKS->>T: TCP example.com:80 Note over T: Blocked host reached.Outbound exfiltration channel open. OS-level enforcement (sandbox-exec on macOS, bubblewrap on Linux) correctly pins the agent to localhost. The bypass lives in the SOCKS proxy the sandbox delegates egress decisions to, which runs on the host with full network privileges. Fool the proxy, and the host dials. ...

What Happened Anthropic’s Memory MCP Server is designed to help AI agents remember information across conversations by storing entities in a knowledge graph JSON Lines (JSONL) file. According to its documentation, each entity should only contain name, entityType, and observations. However, the vulnerable implementation accepted and stored additional properties beyond what was documented. That turned “memory persistence” into arbitrary JSON injection, enabling persistent VS Code configuration injection and terminal profile hijacking. ...

allowedDomains: [], “Empty array = no network access.” — Anthropic Sandbox Runtime Documentation The implementation did not match the documentation. When I configured Claude Code’s sandbox with allowedDomains: [], expecting complete network isolation, the sandbox was wide open and allowed connections to any server on the internet. Anthropic patched this quietly in Claude Code v2.0.55 with a changelog entry saying “Fix proxy DNS resolution” — no mention of a critical security flaw. They assigned CVE-2025-66479 to their runtime library but did not assign a CVE to their flagship product Claude Code. The changelog did not include a security advisory. In practice, the issue was fixed quietly and most users were unlikely to realize there was a security patch. ...