r/AI_Agents: Two Claude Code Network Sandbox Bypasses in Five Months — Second Via SOCKS5 Hostname Null-Byte Injection Disclosed on HackerOne by Researcher Aonan Guan

Researcher Aonan Guan disclosed a second Claude Code network sandbox bypass via HackerOne this month; the mechanism is a SOCKS5 hostname null-byte injection where Claude Code's JavaScript policy layer reads the full hostname while libc stops at the null byte, allowing traffic to route to nominally blocked hosts. Both bypasses in this five-month window were fixed silently without public CVEs, raising questions about the shared responsibility model and Anthropic's disclosure practices for operators running Claude Code in production agentic pipelines.