← Back to feed
2026-05-21 Malicious ToolSupply Chain TLP:CLEAR

Claude Code Network Sandbox Bypassed for 5.5 Months via SOCKS5 Hostname Null-Byte Injection — Anthropic Patched Silently, Closed HackerOne Report as Duplicate, No CVE Issued

Date: 2026-05-21
Tags: malicious-tool, supply-chain

Executive Summary

Independent researcher Aonan Guan publicly disclosed on 2026-05-20 a second network sandbox bypass in Anthropic's Claude Code CLI that let any code Claude Code executed inside its sandbox bypass the user's domain allowlist and exfiltrate AWS credentials, GitHub tokens, environment variables, model API keys, and local source code over a raw SOCKS5 connection that does not appear in HTTP egress logs. The flaw — a SOCKS5 hostname null-byte injection of the form attacker-host.com\x00.google.com — affected every Claude Code release from v2.0.24 (sandbox GA, 2025-10-20) through v2.1.89, roughly 130 versions over 5.5 months, and was silently patched in v2.1.90 on 2026-04-01 with no security note in the release notes. Anthropic closed Guan's HackerOne report #3646509 as a duplicate, declined to issue a CVE against Claude Code, and as of disclosure had not published a security advisory; developers running affected versions with a custom allowedDomains policy should upgrade to ≥ v2.1.90 immediately and rotate any credentials that Claude Code agent runs touched during the affected window.

Campaign Summary

FieldDetail
VulnerabilityClaude Code network sandbox bypass — SOCKS5 hostname null-byte injection
Affected productAnthropic Claude Code CLI (@anthropic-ai/claude-code)
Affected versionsv2.0.24 (sandbox GA, 2025-10-20) through v2.1.89 — ~130 published versions
Patched versionv2.1.90, released 2026-04-01
CVENone assigned to Claude Code. The prior, related sandbox bypass (CVE-2025-66479, CVSS 1.8) was issued against @anthropic-ai/sandbox-runtime < 0.0.16, not Claude Code itself.
Disclosure date2026-05-20 (researcher blog), covered by SecurityWeek and The Register on 2026-05-20
ResearcherAonan Guan (Wyze Labs, blog at oddguan.com)
StatusPatched silently 2026-04-01; public disclosure 2026-05-20; no Anthropic security advisory at disclosure time

Detailed Findings

According to Aonan Guan's public write-up Second Time, Same Sandbox, the vulnerability sits in how Claude Code's sandbox enforces the network allowlist that operators configure via the allowedDomains policy. The sandbox routes all outbound network traffic through an embedded SOCKS5 proxy that validates the requested hostname against the allowlist before relaying the connection. The validation is implemented as a JavaScript suffix check — if the requested hostname ends with one of the allowed entries (for example *.google.com), the connection is approved. The relayed hostname is then passed unchanged to libc's getaddrinfo() for resolution. Because C string handling terminates at the first null byte, a hostname of the form attacker-host.com\x00.google.com passes the JavaScript suffix check (the string ends with .google.com to the JS engine, which treats \x00 as just another character inside the string) but resolves to attacker-host.com at the OS layer.

The result is a complete bypass of the network allowlist. Any code running inside the Claude Code sandbox — including code generated by an LLM agent run, tool-installed dependencies, or untrusted MCP servers — can open a raw SOCKS5 tunnel to an attacker-controlled host. Because the channel is raw SOCKS5 rather than HTTP, the exfiltration does not appear in proxy logs, web egress logs, or browser-style telemetry; it shows up only at the L3 network layer if egress filtering is in place outside the sandbox itself.

Guan tested credential exfiltration over the bypass and confirmed extraction of AWS credentials read from ~/.aws/credentials, GitHub personal access tokens read from ~/.config/gh/config.yml, model API keys held in environment variables such as ANTHROPIC_API_KEY and OPENAI_API_KEY, and arbitrary local source code read from the agent's working directory. The Register notes that the data exfiltration window in production environments may be effectively unlimited because the SOCKS5 channel produces no HTTP egress signal that a proxy or DLP control would normally log.

This is the second documented Claude Code sandbox bypass attributed to Guan. The first, tracked as CVE-2025-66479 (CVSS 1.8, Protection Mechanism Failure / CWE-693), was a bug in @anthropic-ai/sandbox-runtime < 0.0.16 in which a sandbox configured with allowedDomains: [] — intended by the operator to mean complete network isolation — was treated as no policy configured and permitted unrestricted egress. Anthropic patched that flaw in sandbox-runtime v0.0.16 and shipped the Claude Code packaging in v2.0.55 with the changelog line "Fix proxy DNS resolution"; no security advisory mentioned the network isolation regression. Guan submitted his HackerOne report on the first bypass on 2026-04-03; Anthropic responded that it had identified and fixed the issue earlier (public commit 2026-03-27, shipped in v2.1.88 on 2026-03-31). On the second bypass (the SOCKS5 null-byte injection covered here), Anthropic closed Guan's HackerOne report #3646509 as a duplicate, patched silently in v2.1.90 on 2026-04-01, and as of the 2026-05-20 public disclosure had not assigned a CVE to Claude Code or published a security advisory.

The Register reports that Anthropic's own Claude model, when shown the technical write-up, concurred with Guan's severity assessment — hence the headline "Even Claude agrees: hole in its sandbox was real and dangerous." SecurityWeek's coverage focuses on the disclosure-process question: when an AI tool vendor patches a sandbox-escape-class flaw without filing a CVE or warning operators who rely on the sandbox as a security boundary, downstream defenders cannot prioritise upgrades, cannot retrospectively audit the affected window, and cannot reason about which credential rotations are now required.

MITRE ATT&CK Mapping

TechniqueIDContext
Subvert Trust Controls: Software Component Tampering — N/A; the sandbox itself is the trust boundary being bypassedT1553The sandbox's domain allowlist is the protection mechanism; the SOCKS5 null-byte injection bypasses it without modifying the sandbox
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 ProtocolT1048.002Raw SOCKS5 tunnel from inside the sandbox to attacker-controlled host; no HTTP egress signal
Unsecured Credentials: Credentials In FilesT1552.001~/.aws/credentials, ~/.config/gh/config.yml accessed from inside the sandbox
Unsecured Credentials: Environment VariablesT1552.001ANTHROPIC_API_KEY, OPENAI_API_KEY, and arbitrary env vars readable inside the sandbox
Defense Evasion: Impair Defenses — Disable or Modify System FirewallT1562.004Equivalent effect on the sandbox's egress allowlist; the allowlist is intact but bypassed

IOCs

Aonan Guan's disclosure is a vulnerability advisory, not an incident response report. No attacker-controlled domains, hostnames, hashes, or exploit URLs have been observed in the wild — the proof-of-concept used the placeholder attacker-host.com\x00.google.com to demonstrate the suffix-vs-resolution mismatch. Anthropic infrastructure (claude.ai, api.anthropic.com) is not an IOC; the vulnerability is in the local Claude Code CLI, not in Anthropic-hosted services. Defenders detect this bypass by checking the local Claude Code version (claude --version) and by network telemetry, not by domain blocklists; see Detection Recommendations below.

Domains

No domain IOCs published by source

Full URL Paths

No URL IOCs published by source

Splunk Format

No IOCs available for Splunk query

File Hashes

No hash IOCs published by source

Detection Recommendations

Version inventory (every endpoint running Claude Code):
- Run claude --version (or check ~/.claude/CLAUDE.md and package.json for the npm-installed CLI) and compare against the affected range. Any version >= 2.0.24 && < 2.1.90 was vulnerable; any version >= 2.0.24 && < 2.0.55 was vulnerable to the first sandbox bypass (CVE-2025-66479) as well. Inventory via MDM, your endpoint management agent, or a one-off SSM/Ansible task across developer fleets.

Retrospective credential audit:
- Treat the window 2025-10-20 → 2026-04-01 as a potential credential exposure window for any developer who ran Claude Code agent sessions with allowedDomains configured. Rotate AWS access keys, GitHub PATs, npm tokens, and model API keys (ANTHROPIC_API_KEY, OPENAI_API_KEY, others) that were present in ~/.aws/, ~/.config/gh/, or the shell environment of Claude Code processes during that window. The CVE-2025-66479 window for an empty-allowedDomains policy is narrower (sandbox-runtime < 0.0.16, Claude Code < 2.0.55).

Network egress (catches future bypasses of this class):
- Do not rely on the Claude Code sandbox as the sole egress control for developer endpoints handling production credentials. Pair it with a host-level firewall (macOS pf, Linux nftables, Windows Defender Firewall) or a network-level egress proxy whose allowlist is enforced outside the sandbox and that logs raw L4 connections, not just HTTP.
- Alert on outbound SOCKS5 connections (default proxy ports 1080, 1085, 4145, plus any custom port) originating from a developer workstation to a non-allowlisted destination. SOCKS5 from developer hosts is rare in most environments outside specific tooling (Tor, lightsail, dev proxies); a baseline followed by exception monitoring catches the bypass.
- For EDR with process+netconn telemetry (CrowdStrike, SentinelOne, Defender for Endpoint), correlate claude (or node invoking @anthropic-ai/claude-code) processes with outbound connections to non-allowlisted hosts, especially over ephemeral high ports.

Configuration hardening for ongoing use:
- After upgrading to v2.1.90+, audit the allowedDomains policy in every developer's Claude Code config and reject overly broad entries (e.g., bare TLD wildcards). The fix in v2.1.90 closes the null-byte path but the allowlist remains the primary control surface.

References