Anthropic has discreetly resolved a significant security flaw in its Claude Code platform that could have been exploited to bypass network sandbox restrictions, potentially leading to data breaches. This vulnerability allowed unauthorized access to external networks by circumventing the local allowlist proxy, which is designed to block unapproved connections.
Details of the Discovered Vulnerabilities
Recent investigations by cybersecurity expert Aonan Guan revealed two separate vulnerabilities in the Claude Code network sandbox. The first, identified as CVE-2025-66479, was discovered by another researcher and involved a misinterpretation of settings that resulted in the sandbox permitting all outbound traffic. This issue was corrected with a patch released on November 26, 2025.
The second flaw, found by Guan, involved a SOCKS5 hostname null-byte injection. This allowed attackers to exploit the system by appending a null byte to a hostname, tricking the filter into approving a connection to a malicious host while the operating system truncated the address at the null byte.
Timeline and Disclosure Concerns
The vulnerability was present from October 20, 2025, when the sandbox was made widely available, until the patched version 2.1.90 was released in April. Guan reported this issue through Anthropic’s bug bounty platform, but the company classified it as a duplicate and did not issue a CVE specifically for this vulnerability.
Guan expressed dissatisfaction with Anthropic’s handling of the situation, particularly because the CVE was associated with the ‘sandbox-runtime’ library rather than Claude Code itself. He highlighted that users operating the vulnerable configuration had no way of knowing the sandbox was compromised during the affected period.
Potential Implications and Anthropic’s Response
Guan also disclosed a related attack vector known as Comment and Control, which targets AI-driven code security tools. This method allows attackers to manipulate AI agents in GitHub Actions through crafted comments, posing a risk of data exfiltration when combined with the sandbox vulnerability.
In response, Anthropic acknowledged Guan’s contributions but stated that their security team had already addressed the issue before his report. The fix was implemented in a public commit to the ‘sandbox-runtime’ repository on March 27 and released in Claude Code version 2.1.88 shortly after.
As the cybersecurity landscape continues to evolve, it is crucial for companies like Anthropic to maintain transparency and communication regarding potential vulnerabilities and their resolutions. Such measures are vital for safeguarding user data and maintaining trust within the technology community.
