Full Report
Another day, another AI bug silently fixed with no CVE and no public disclosure
Analysis Summary
# Vulnerability: Claude Code Sandbox Network Allowlist Bypass via Null-Byte Injection
## CVE Details
- **CVE ID**: [No CVE Assigned] (Note: A related upstream flaw in `sandbox-runtime` was previously tracked as CVE-2025-66479, but the specific Claude Code integration flaw lacks an identifier).
- **CVSS Score**: Not Evaluated (Estimated High/Critical due to data exfiltration capabilities).
- **CWE**: CWE-158: Proper Neutralization of Null Byte Strings.
## Affected Systems
- **Products**: Anthropic Claude Code (Agentic coding tool).
- **Versions**: All versions from General Availability (GA) through **v2.1.87**.
- **Configurations**: Systems running Claude Code with a network sandbox enabled, particularly those using a wildcard allowlist or residing on credential-bearing systems.
## Vulnerability Description
The vulnerability stems from a SOCKS5 hostname null-byte injection flaw within the Claude Code network sandbox. The sandbox is designed to restrict the agent's network access to an approved list of domains (allowlist). However, by injecting a null byte into the SOCKS5 hostname request, an attacker can trick the filter into approving connections to unauthorized destinations.
When combined with **prompt injection**, an attacker can force the AI agent to:
1. Execute malicious code within the sandbox.
2. Bypass the network boundary intended to prevent data egress.
3. Exfiltrate sensitive data to an attacker-controlled server.
## Exploitation
- **Status**: PoC available (detailed by researcher Aonan Guan); patched by vendor.
- **Complexity**: Medium (Requires successful prompt injection or manipulation of the agent’s input).
- **Attack Vector**: Network (Remote via prompt injection).
## Impact
- **Confidentiality**: **High**. Allows exfiltration of GitHub tokens, cloud provider credentials (AWS/GCP/Azure metadata), source code, and internal API keys.
- **Integrate**: **Medium**. Allows execution of unauthorized code within the sandbox environment.
- **Availability**: **Low**. Primary impact is data theft rather than denial of service.
## Remediation
### Patches
- **Claude Code v2.1.88** or later contains the fix.
- The underlying fix was applied to the `sandbox-runtime` repository on March 31, 2026.
### Workarounds
- **Update Immediately**: Ensure Claude Code is updated to version **2.1.90** or higher to ensure the full fix window is covered.
- **Egress Filtering**: Implement network-level egress filtering (firewalls) independent of the AI tool's internal sandbox.
- **Principle of Least Privilege**: Do not run AI agents on systems with access to highly sensitive environmental credentials unless strictly necessary.
## Detection
- **Indicators of Compromise**: Monitor for unusual outbound network connections from developer workstations to unknown IP addresses or domains, especially via SOCKS5 proxies.
- **Historical Analysis**: Users who ran vulnerable versions (pre-v2.1.88) for the 5.5 months prior to the patch should audit logs for potential data exfiltration, as the network boundary may have been ineffective during this period.
## References
- **Researcher Blog**: hxxps[://]oddguan[.]com/blog/second-time-same-sandbox-anthropic-claude-code-network-allowlist-bypass-data-exfiltration/
- **Original Research**: hxxps[://]oddguan[.]com/blog/claude-code-sandbox-2/README[.]md
- **Upstream CVE (Related)**: hxxps[://]nvd[.]nist[.]gov/vuln/detail/cve-2025-66479