Cyber Security News reported on 21 May 2026 that security researcher Aonan Guan publicly disclosed a second complete bypass of Anthropic's Claude Code network sandbox, a SOCKS5 hostname null-byte injection affecting versions v2.0.24 through v2.1.89 (roughly 130 releases over 5.5 months). The flaw exploits a parser differential: a JavaScript endsWith() check approves hostnames like attacker-host.com\x00.google.com against the user's allowlist, while libc's getaddrinfo() terminates at the null byte and resolves the attacker host. When chained with prompt injection from sources Claude Code reads (READMEs, GitHub issues, docs), the bypass enables silent exfiltration of AWS credentials, GitHub tokens, cloud instance metadata, environment variables, and model API keys via raw SOCKS5, bypassing HTTP egress logs. Anthropic silently patched the issue in sandbox-runtime 0.0.43 / Claude Code v2.1.90 on 1 April 2026 with no security mention in the release notes, closed Guan's HackerOne report (#3646509) as a duplicate, and has not assigned a CVE for the SOCKS5 bypass; CVE-2025-66479 covers only the earlier allowedDomains bypass. Users are advised to upgrade to v2.1.90 or later and rotate credentials reachable from systems that used wildcard allowlists.
- Claude Code's Network Sandbox Vulnerability Exposes User Credent(opens in a new tab)
- Anthropic Quietly Fixes Claude Code Sandbox Escape Vulnerability(opens in a new tab)