Researchers discovered vulnerabilities in Anthropic’s Claude Code network sandbox, could allow attackers to bypass security restrictions and data exfiltration. Claude Code’s network sandbox siphon all outbound traffic via a system that maintains a list of “allowed” hosts (trusted destinations). Any network request going outside that approved list is automatically blocked silently, without allowing the connection.

According to vulnerability researcher Aonan Guan, two Claude Code network sandbox bypasses were discovered recently.

Vulnerability was tracked as CVE-2025-66479 and discovered by a different researcher, was related to the sandbox interpreting a setting to block all outbound traffic as ‘allow everything’.

Two separate vulnerabilities were identified:

Vulnerability	Description
CVE-2025-66479	Sandbox incorrectly interpreted “block all traffic” settings as “allow everything”
SOCKS5 Null-Byte Injection	Attackers could manipulate hostname handling to bypass network restrictions

Step-by-Step Analysis of the Attack

• Claude Code can only communicate with approved hosts.
• Unauthorized outbound connections are blocked.

Attacker Finds Logic Weakness

Researchers discovered the sandbox incorrectly processed certain settings and network requests, specially crafted inputs could confuse the security filtering mechanism.

Exploiting the SOCKS5 Null-Byte Injection

In the second vulnerability: In this case attackers used a specially crafted hostname containing hidden “null-byte” characters. The sandbox interpreted the hostname differently from the actual network connection.

Sandbox Bypass Achieved

Once bypassed the attacker could potentially force outbound connections to unauthorized servers. This breaks the security boundary of the sandbox.

Potential Impact

If successfully exploited, attackers could:

• Exfiltrate sensitive data
• Communicate with attacker-controlled infrastructure
• Bypass AI network restrictions
• Potentially leak prompts, tokens, or internal information

Why This Matters

This vulnerability is important because:

In his disclosure of the Claude Code sandbox vulnerability, researcher’s Guan, noted that the bypass would have been particularly useful in combination with a prompt injection attack. This include comment and control, enabling attackers to exfiltrate data, including environment variables, credentials, tokens, and infrastructure data. 

• AI sandboxes are meant to isolate and secure AI environments.
• Bypassing sandbox protections weakens trust in AI security controls.
• Similar flaws may appear in other AI systems using network restrictions and proxy-based filtering.

Fix & Mitigation

Anthropic reportedly patched the vulnerabilities through security updates.

Update Claude Code to version 2.1.90 or later and verify using:

 Review outbound network logs for suspicious SOCKS proxy connections made between October 20, 2025 and April 1, 2026.

  Rotate all exposed credentials, API keys, and access tokens that Claude Code could access during the vulnerable period.

  Do not rely only on the Claude sandbox for protection. Apply additional network security controls through:

• Firewalls
• OS-level restrictions
• Container security policies
• Egress filtering

Sources: https://community.opentextcybersecurity.com/vulnerability-vault-228/anthropic-silently-patches-claude-code-sandbox-bypass-364366