A critical security flaw in Anthropic’s Claude Code AI coding assistant allowed attackers to bypass its network sandbox protections for more than five months, potentially exposing developer credentials, source code, cloud metadata, and internal corporate systems.
The vulnerability, disclosed by security researcher Aonan Guan, is the second reported sandbox bypass affecting Claude Code and raises broader concerns about the reliability of security controls in AI-powered developer tools.
Sandbox Bypass Affected More Than 130 Releases
According to Guan, the flaw impacted every Claude Code release from v2.0.24 through v2.1.89, covering roughly 130 published versions between October 2025 and April 2026.
Anthropic quietly fixed the issue in Claude Code v2.1.90 on April 1, 2026, but did not publicly identify the update as a security patch in its release notes.
The newly disclosed vulnerability involved a SOCKS5 hostname null-byte injection that exploited differences in how JavaScript and underlying system libraries process network requests.
How the Claude Code Vulnerability Worked
Claude Code’s sandbox routes outbound traffic through a SOCKS5 proxy designed to enforce hostname restrictions using allowlists such as *.google.com.
The issue stemmed from the sandbox relying on JavaScript’s endsWith() function to validate approved domains. Attackers could manipulate hostnames by inserting a null byte sequence into a malicious address.
Exploiting Parser Differences
A crafted hostname such as:
attacker-host.com\x00.google.com
would appear valid to the JavaScript filter because it ended with .google.com. However, the underlying C library function getaddrinfo() interpreted the null byte as the end of the hostname and instead resolved the request to attacker-host.com.
As a result, attackers could bypass outbound network restrictions and redirect traffic to unauthorized destinations.
Researchers said the vulnerable sandbox-runtime implementation accepted raw SOCKS5 domain data without filtering null bytes, limiting hostname length, or validating characters.
The patch introduced a new isValidHost() validation layer that blocks null bytes, CRLF sequences, percent-encoded payloads, and other invalid DNS characters before hostname matching occurs.
Prompt Injection Increased the Risk
The vulnerability became significantly more dangerous when combined with prompt injection attacks — a growing concern across AI coding assistants used by developers and enterprise engineering teams.
Malicious instructions hidden inside GitHub issues, README files, documentation, or code comments could cause Claude Code to execute attacker-controlled actions inside the sandbox environment.
Before the fix, attackers could reportedly use the bypass to silently exfiltrate sensitive data, including:
Potentially Exposed Data
- AWS credentials stored in
~/.aws/ - GitHub authentication tokens
- Cloud instance metadata from
169.254.169.254 - Internal APIs and intranet resources
- Environment variables and AI model API keys
Researchers noted that the data could be transmitted directly through raw SOCKS5 traffic, potentially evading standard HTTP monitoring and outbound logging systems commonly used in enterprise environments.
Previous Claude Code Sandbox Bug Also Raised Concerns
The newly disclosed flaw follows an earlier sandbox vulnerability tracked as CVE-2025-66479.
That earlier issue involved a logic error in Claude Code’s allowedDomains configuration. A setting intended to block all outbound traffic — allowedDomains: [] — was mistakenly interpreted as allowing unrestricted internet access due to an incorrect allowedDomains.length > 0 condition check.
Anthropic silently fixed that bug in Claude Code v2.0.55 in November 2025. However, the SOCKS5 null-byte injection flaw remained present in the same release.
Researchers Urge Additional Security Controls
Guan said Anthropic closed the related HackerOne disclosure as a duplicate report and, as of May 2026, no separate CVE entry had been issued for the SOCKS5 bypass in either the National Vulnerability Database or the GitHub Advisory Database.
The only publicly tracked identifier remains CVE-2025-66479, which was assigned to the sandbox runtime rather than Claude Code itself.
Security experts warn that organizations using AI coding assistants should avoid treating application-level sandboxes as complete security boundaries. Instead, they recommend enforcing network-level egress controls and isolation mechanisms outside the AI agent’s direct reach.
Developers and enterprises running Claude Code versions earlier than v2.1.90 are being urged to update immediately, review outbound SOCKS proxy traffic, and rotate any potentially exposed credentials.
