Claude Code sandbox bypass could expose credentials and source code from developer systems
8 min. read 
Published on
A researcher has disclosed a Claude Code network sandbox bypass that could allow sandboxed code to reach blocked internet hosts and exfiltrate sensitive data. The issue, described as a SOCKS5 hostname null-byte injection, affected Claude Code releases from 2.0.24 through 2.1.89, according to Aonan Guan’s research.
The risk comes from how Claude Code’s sandbox filtered outbound network requests. The sandbox could approve a hostname that appeared to match an allowed domain, while the underlying system resolver connected to a different host after a null byte in the hostname.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
That gap matters because coding agents often run near source code, cloud credentials, API keys, environment variables, and internal documentation. If a prompt injection or malicious project file gets code execution inside the sandbox, a network bypass can turn that local access into data exfiltration.
How the Claude Code network sandbox is supposed to work
Claude Code includes a sandboxed Bash tool that lets users define which files and network domains commands can reach. Anthropic’s Claude Code sandbox documentation says the sandbox uses operating system controls to enforce boundaries for Bash commands and child processes.
The feature is meant to let Claude run more autonomous shell commands while reducing the risk that generated commands can freely touch the filesystem or connect to arbitrary network destinations.
That design makes the network allowlist critical. If users configure the sandbox to allow only specific domains, they expect any blocked host to stay unreachable even if a command inside the sandbox attempts to connect to it.
| Item | Details |
|---|---|
| Issue type | Claude Code network sandbox bypass |
| Researcher | Aonan Guan |
| Bypass method | SOCKS5 hostname null-byte injection |
| Affected versions reported by researcher | Claude Code 2.0.24 through 2.1.89 |
| Reported fixed version | Claude Code 2.1.90 |
| Main risk | Data exfiltration from sandboxed commands despite network allowlist rules |
How the null-byte bypass worked
The bypass relied on a parser mismatch. Claude Code’s network filter checked whether the requested hostname ended with an allowed domain, such as .google.com. A crafted hostname could include a null byte before that allowed suffix.
In the example described by Guan’s disclosure, the sandbox policy could see a hostname ending in an allowed domain and approve it. The operating system resolver could then stop at the null byte and connect to the attacker-controlled host before the allowed suffix.
The result was a practical egress bypass. Code running inside the sandbox could send data to a host that the user’s allowlist was meant to block.
Why prompt injection makes the flaw more dangerous
The bypass becomes more serious when combined with prompt injection. A malicious instruction hidden in a README, issue comment, pull request, documentation file, or dependency metadata could persuade an AI coding agent to run commands inside a project.
If the sandbox blocks broad network access, users may assume those commands cannot exfiltrate secrets. A bypass breaks that assumption. Data such as GitHub tokens, cloud credentials, source code, environment variables, internal endpoints, and configuration files may sit close to the agent’s working directory.
This is why sandbox flaws in coding agents deserve more attention than ordinary tool bugs. The product often runs in developer environments that already hold the credentials needed to build, deploy, or manage production software.
The earlier sandbox-runtime CVE adds context
This was not the first public concern around Anthropic’s sandbox enforcement. A separate issue, CVE-2025-66479, affected Anthropic Sandbox Runtime before version 0.0.16 and involved network sandbox enforcement when no allowed domains were configured.
The NVD record for CVE-2025-66479 says sandbox-runtime did not properly enforce the network sandbox if the sandbox policy did not configure any allowed domains. The patch for that issue shipped in sandbox-runtime 0.0.16.
Guan’s report argues that the newer SOCKS5 issue reflects a broader implementation problem because it followed the earlier allowedDomains bypass and involved the same class of trust in policy enforcement.
SecurityWeek says Anthropic fixed the issue before the report
Anthropic did not issue a dedicated public security advisory for the SOCKS5 bypass at the time of the public reporting. SecurityWeek reported that Anthropic said it appreciates Guan’s work, but its security team had identified and fixed the issue before receiving the researcher’s report.
The report also said Guan’s HackerOne submission was marked as a duplicate. That dispute does not change the practical advice for users: older Claude Code versions in the affected range should not be trusted to enforce the relevant network allowlist behavior.
For companies using AI coding agents in sensitive repositories, the disclosure also raises a process question. Silent fixes can leave security teams without a clear signal to rotate credentials, review logs, or accelerate upgrades.
What data could be exposed
The most likely exposure depends on what the developer environment allowed Claude Code to read or execute. On a personal workstation, that may include local source code, shell environment variables, SSH keys, cloud CLI credentials, and package registry tokens.
On a corporate machine, the risk may be wider. Agentic coding tools may run in repositories tied to internal systems, deployment secrets, API keys, GitHub authentication, CI/CD configuration, or documentation that reveals private infrastructure.
- Source code from the active project or reachable directories.
- Environment variables and model API keys.
- GitHub tokens and package registry credentials.
- AWS, GCP, Azure, or other cloud credentials stored locally.
- Internal API endpoints and private service names.
- SSH keys, configuration files, and developer secrets.
What users should do now
Users should update Claude Code to version 2.1.90 or later if they rely on sandbox network rules. Teams should also confirm the installed version on developer machines, CI runners, and any managed workstation images where Claude Code is deployed.
The Claude Code sandbox guide says the sandbox runs on macOS, Linux, and WSL2, while native Windows is not supported. Security teams should check each supported environment separately because developer tooling often differs across operating systems.
- Run claude –version and confirm the installed version is 2.1.90 or later.
- Audit use of wildcard network allowlists in Claude Code sandbox settings.
- Rotate credentials reachable from machines that ran affected versions.
- Review outbound logs for unusual SOCKS-mediated traffic where available.
- Move high-risk agent workloads into external isolation such as containers, VMs, or network-level egress controls.
- Do not treat a vendor sandbox as the only boundary around sensitive code or secrets.
Why external egress controls still matter
The lesson for security teams is not only to update Claude Code. Agentic coding tools need layered controls because prompt injection, tool execution, and local secrets can combine in unexpected ways.
The CVE-2025-66479 entry shows that even a sandbox library can fail to enforce network policy under specific configurations. The newer disclosure shows how a different validation mistake can also undermine network restrictions.
Network controls outside the agent’s process can reduce the blast radius. That includes firewall egress rules, proxy enforcement, isolated development containers, disposable VMs, short-lived credentials, least-privilege tokens, and separate workspaces for untrusted code.
Why this matters for AI coding tools
Claude Code is part of a broader shift toward AI agents that can read repositories, run commands, inspect documentation, and make code changes. That power increases productivity, but it also increases the impact when security boundaries fail.
SecurityWeek’s report notes that the bypass could have been chained with prompt injection to exfiltrate data. That is the key risk for enterprises: the attacker may not need direct access to a developer’s machine if they can place instructions in content the agent later reads.
Organizations should review how AI coding tools run, what secrets they can access, and which external destinations they can reach. A sandbox helps, but it should sit inside broader endpoint, identity, and network controls.
The safest approach is to update Claude Code, rotate sensitive credentials where exposure is plausible, and treat agent sandboxes as defense-in-depth rather than a complete security boundary.
FAQ
The disclosed bypass was a SOCKS5 hostname null-byte injection issue that could let sandboxed code reach hosts blocked by the user’s network allowlist.
Researcher Aonan Guan reported that Claude Code versions 2.0.24 through 2.1.89 were affected by the SOCKS5 null-byte bypass, with the issue fixed in version 2.1.90.
No public CVE was listed for the SOCKS5 bypass at the time of reporting. CVE-2025-66479 covers an earlier sandbox-runtime network sandbox issue.
Data at risk could include source code, environment variables, GitHub tokens, cloud credentials, SSH keys, API keys, internal endpoints, and other files reachable from the sandboxed process.
Users should update to Claude Code 2.1.90 or later, review sandbox allowlists, rotate credentials that may have been reachable, and enforce network controls outside the agent where possible.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages