oddguan.com via Reddit

Claude Code SOCKS5 flaw enables full sandbox data theft

anthropic cybersecurity coding tools ai-security coding-tools

Key insights

  • A SOCKS5 null-byte injection bypassed Claude Code's network allowlist, enabling exfiltration of all sandbox contents to attacker-controlled servers.
  • Anthropic patched the flaw in v2.1.90 without issuing a CVE, security advisory, or public disclosure for the second consecutive time.
  • Combined with prompt injection, the vulnerability allows a remote attacker full control over a Claude Code sandbox without user awareness.

Why this matters

Agentic coding tools like Claude Code run with elevated permissions on developer machines, meaning a sandbox bypass is not a theoretical risk but a direct path to credential theft and source code exfiltration at scale across every organization that has deployed it. Anthropic's repeated choice to silently patch without CVE assignment removes the signal that security teams, SOC vendors, and platform administrators depend on to trigger patch urgency and audit logs. The null-byte injection class of bypass is decades old and well-documented, which means the recurrence of this vulnerability pattern points to a structural gap in Anthropic's pre-release security review process for Claude Code's networking layer.

Summary

Anthropic's Claude Code has been hit by a second network sandbox bypass in five months, discovered again by security researcher Aonan Guan of Wyze Labs. The flaw uses SOCKS5 hostname null-byte injection to smuggle a blocked destination past the network allowlist filter, letting an attacker route traffic to any arbitrary internet server and exfiltrate the full contents of the sandbox: credentials, source code, private keys, whatever is present. When chained with a prompt injection attack, the exploit hands a remote attacker complete control over the sandbox environment without any user interaction beyond loading a malicious prompt. Essentially: (Anthropic, Claude Code) patched a critical exfiltration path silently, with no CVE and no public advisory, mirroring exactly how it handled Guan's first disclosure. - The patch landed in Claude Code v2.1.90 with no security bulletin, no CVE assignment, and no coordinated disclosure notice. - Null-byte injection as an allowlist bypass is a well-understood class of vulnerability, raising questions about whether Anthropic's sandbox filter was reviewed against standard evasion techniques before deployment. - Guan flagged the no-disclosure pattern explicitly after the first bypass; Anthropic repeated it anyway. The pattern of silent patches in a tool that runs with broad filesystem and network access on developer machines sets a precedent that will be difficult to walk back as agentic coding tools proliferate.

Potential risks and opportunities

Risks

  • Enterprise security teams that rely on CVE feeds and vendor advisories to trigger patching workflows may still be running vulnerable Claude Code versions weeks after v2.1.90 shipped, leaving developer credentials and source code exposed.
  • Prompt injection payloads targeting this bypass could be embedded in malicious repositories or code review comments, turning any Claude Code user who opens an attacker-controlled project into an exfiltration target.
  • Anthropic's silent-patch pattern, now documented twice publicly by the same researcher, increases the likelihood that other undisclosed sandbox vulnerabilities exist and are being exploited without defenders having any advisory trail to reference.

Opportunities

  • Security vendors focused on agentic AI runtime protection (Protect AI, Oligo Security, Invariant Labs) gain a concrete, named CVE-class incident to anchor enterprise sales conversations about AI tool sandboxing.
  • Organizations building internal AI coding assistant infrastructure on open-source models gain a credible differentiation argument around transparent security disclosure compared to Anthropic's current posture.
  • Browser and OS-level sandboxing vendors (Tart, gVisor, Firecracker) could position lightweight VM isolation as the correct architectural layer for agentic tool containment, given that allowlist-based filtering has now failed twice in the same product.

What we don't know yet

  • Whether Anthropic conducted any internal audit of the allowlist filter against standard proxy-evasion techniques before v2.1.90, and if so, what the scope covered.
  • How many Claude Code installations were running vulnerable versions between the researcher's report and the silent patch release, and for how long.
  • Whether Anthropic has committed to CVE assignment or coordinated disclosure for future Claude Code security fixes following Guan's public criticism of the pattern.

Originally reported by oddguan.com

Read the original article →

Original headline: Second Time, Same Sandbox: Researcher Discloses Another Claude Code Network Bypass via SOCKS5 Null-Byte Injection Enabling Full Data Exfiltration