The Sandbox Bypass Mechanism
A security researcher, Aonan Guan, revealed a critical bypass in Anthropic’s Claude Code AI coding assistant that allowed attackers to steal sensitive data from developer systems. The flaw exploited a SOCKS5 hostname null-byte injection technique. When the assistant processed outbound traffic through its SOCKS5 proxy, it used a JavaScript endsWith() check to validate hostnames against an allowlist. An attacker could craft a hostname like ‘attacker-host.com\x00.google.com’ that passed the JavaScript filter because it appeared to end with ‘.google.com’, but the underlying C library terminated at the null byte and resolved the blocked hostname instead.
Impact and Scope
The vulnerability affected every Claude Code release from version 2.0.24 (sandbox general availability on October 20, 2025) through version 2.1.89, spanning about 130 published versions over roughly 5.5 months. Anthropic silently patched the issue in version 2.1.90 on April 1, 2026, without mentioning the security fix in release notes. This was the second sandbox bypass discovered in Claude Code, following an earlier flaw where configuring ‘allowedDomains: []’ to block all outbound traffic was misinterpreted as allowing everything due to a flawed check. The bypass becomes especially dangerous when combined with prompt injection attacks, where malicious instructions hidden in GitHub comments or README files can trigger data exfiltration.
Source: Cyber Security News
