Claude Code Sandbox Flaw Risks User Data Exposure

Claude Code Sandbox Flaw Risks User Data Exposure

Posted on By CWS

Anthropic’s AI coding assistant, Claude Code, has been affected by a significant security vulnerability that persisted for over five months, risking the exposure of sensitive user credentials and source code. This breach, caused by a sandbox bypass, was not initially addressed publicly by the company, raising concerns over its impact on developer systems.

Details of the Vulnerability

Security expert Aonan Guan identified and disclosed a second major bypass in Claude Code’s network sandbox. This vulnerability, which involved a SOCKS5 hostname null-byte injection, was present from version 2.0.24, released on October 20, 2025, through version 2.1.89. Over 130 versions were affected during this period.

The issue was quietly resolved in version 2.1.90 on April 1, 2026, without any mention of a security fix in the release notes. This oversight follows a previous sandbox flaw (CVE-2025-66479) where configured settings intended to block traffic were misinterpreted, allowing unrestricted access.

Technical Exploitation and Risks

The flaw exploits a discrepancy between JavaScript and the underlying C library (libc). The sandbox routes traffic through a SOCKS5 proxy using JavaScript’s endsWith() function to validate hostnames. An attacker could manipulate this by crafting hostnames that the JavaScript filter would approve, but libc would resolve differently, allowing access to restricted hosts.

This vulnerability became particularly dangerous when used alongside prompt injection attacks. Malicious code embedded in GitHub comments or documentation could exploit the bypass to extract data such as AWS credentials, GitHub tokens, and internal API endpoints.

Response and Recommendations

Anthropic closed the report on this vulnerability as a duplicate and has not listed a CVE for the SOCKS5 bypass in any public database. Currently, CVE-2025-66479 is the only recorded CVE related to these issues, and it refers to sandbox-runtime, not Claude Code itself.

Users are advised to update to Claude Code version 2.1.90 or later immediately. Those who used a wildcard allowlist on systems with sensitive credentials are urged to review their outbound traffic logs and change any exposed credentials. It’s crucial to consider the vendor sandbox as an additional security measure, not the primary defense, and to enforce strict egress controls beyond the agent’s capabilities.

Stay informed by following us on Google News, LinkedIn, and X for further updates.

Cyber Security News Tags:, , , , , , , , , , , , , ,

Related Posts

Hackers Mimic IT Teams to Exploit Microsoft Teams Request to Gain System Remote Access Hackers Mimic IT Teams to Exploit Microsoft Teams Request to Gain System Remote Access Cyber Security News
Chinese APT Hackers Exploit Router Vulnerabilities to Infiltrate Enterprise Environments Chinese APT Hackers Exploit Router Vulnerabilities to Infiltrate Enterprise Environments Cyber Security News
Hackers Exploit AI Tool in Attack on Mexican Utility Hackers Exploit AI Tool in Attack on Mexican Utility Cyber Security News
New Malware Attack Leverages YouTube Channels and Discord to Harvest Credentials from Computer New Malware Attack Leverages YouTube Channels and Discord to Harvest Credentials from Computer Cyber Security News
WordPress Plugin Flaw Poses Major Security Risk WordPress Plugin Flaw Poses Major Security Risk Cyber Security News
VMware NSX XSS Vulnerability Allows Attackers to Inject Malicious Code VMware NSX XSS Vulnerability Allows Attackers to Inject Malicious Code Cyber Security News