Second Time, Same Sandbox: Another Anthropic Claude Code Network Sandbox Bypass Enables Data Exfiltration
The first time, the sandbox heard “allow nothing” and did “allow everything” (CVE-2025-66479). This time, an attacker who runs code inside the sandbox can defeat any wildcard allowlist (e.g. *.google.com, *.anthropic.com) with a single null byte in a SOCKS5 hostname: Policy sees: attacker-host.com\x00.google.com -> endsWith(".google.com") == true Resolver sees: attacker-host.com -> actually dials blocked host TL;DR The sandbox has been bypassable since it shipped. Two distinct bugs in Anthropic Claude Code’s network sandbox, both live from sandbox GA on 2025-10-20. Every release from 2.0.24 through 2.1.89 was vulnerable to at least one of them. About 5.5 months and ~130 published versions. There was never a moment when the sandbox actually worked. Finding 1 (CVE-2025-66479, recap): the user copied allowedDomains: [] from the doc to mean “block all outbound traffic.” Claude Code read it as “allow everything.” Patched in v2.0.55 on 2025-11-26, the same release that still shipped Finding 2 below. Finding 2 (this post): SOCKS5 hostname null-byte injection. The user’s policy says allow only *.google.com. The attacker sends a hostname like attacker-host.com\x00.google.com. The filter sees the trailing .google.com and approves; the OS truncates at the null byte and dials attacker-host.com. Silently fixed in v2.1.90 on 2026-04-01. No Claude Code security advisory for either finding. No security note in the changelog, no CVE for Claude Code, no notice to users on the ~130 vulnerable releases. A user finds out only by reverse-engineering cli.js or reading this post. What an attacker gets. Combined with prompt injection (e.g. a hidden instruction in a GitHub issue comment that Claude Code reads), anything inside the sandbox can be sent to any server on the internet. Credentials, source code, environment variables, internal data. Even when the user has restricted egress to a strict wildcard allowlist. The Pattern %%{init: {'theme':'base', 'themeVariables': {'fontSize':'14px','fontFamily':'-apple-system, BlinkMacSystemFont, sans-serif'}}}%% sequenceDiagram participant P as Sandboxed Process participant SOCKS as SOCKS5 Proxy(JS filter, on host) participant DNS as getaddrinfo(libc, on host) participant T as Target P->>SOCKS: CONNECT example.com\x00.google.com:80 Note over SOCKS: hostname.endsWith('.google.com')= true → ALLOW SOCKS->>DNS: resolve(example.com\x00.google.com) Note over DNS: C string terminates at \x00actually resolves "example.com" DNS-->>SOCKS: A record for example.com SOCKS->>T: TCP example.com:80 Note over T: Blocked host reached.Outbound exfiltration channel open. OS-level enforcement (sandbox-exec on macOS, bubblewrap on Linux) correctly pins the agent to localhost. The bypass lives in the SOCKS proxy the sandbox delegates egress decisions to, which runs on the host with full network privileges. Fool the proxy, and the host dials. ...