Anthropic has recently resolved a security issue within its Claude Code network sandbox, following a researcher’s discovery of a vulnerability that allowed attackers to bypass established security protocols. This patch addresses concerns about potential data exfiltration stemming from the flaw.
The issue originated from the sandbox’s design, which aimed to direct outbound traffic through a local allowlist proxy to block unauthorized connections. However, researcher Aonan Guan identified two distinct bypass vulnerabilities. The first, tracked as CVE-2025-66479, involved a misconfiguration of a setting intended to block all outbound traffic; instead, it permitted all connections.
This flaw was fixed with an update released on November 26, 2025. The second vulnerability, uncovered by Guan, pertained to a SOCKS5 hostname null-byte injection issue. In this case, an attacker could exploit a policy that allowed connections only to *.google.com. By sending a malicious hostname like attacker-host.com\x00.google.com, the filter would mistakenly approve the connection because it recognized the trailing .google.com, thereby circumventing the intended restrictions.
Guan's findings reveal that this second vulnerability had been present since October 20, 2025, when the sandbox became generally available. It remained unaddressed until Guan reported it through Anthropic’s bug bounty program, at which point it was marked as a duplicate, raising concerns about the company's transparency and responsiveness.
The researcher expressed dissatisfaction with Anthropic’s lack of a CVE identifier for this vulnerability and the absence of communication regarding its existence in release notes. "A team running the vulnerable configuration in production from October 20 through November 26 had no way to know the sandbox was effectively off, and no notice afterwards that it had ever been off," Guan stated. He noted that the CVE assigned to the ‘sandbox-runtime’ library did not directly inform Claude Code users, as many were likely unaware of the library's name or its implications.
This oversight has significant implications, particularly for enterprises relying on Claude Code for their operations. Without clear communication about security vulnerabilities, users may inadvertently expose themselves to risks that could lead to data breaches or other security incidents. As AI technology evolves, the need for transparency in security practices becomes increasingly important.
Looking ahead, Anthropic will likely focus on enhancing its security measures and improving communication with its user base. The recent vulnerabilities in Claude Code highlight the necessity of vigilance in cybersecurity, especially as dependence on AI technologies increases. The lessons learned from this incident may encourage other AI firms to reevaluate their security protocols and communication strategies to avoid similar issues in the future.
Quick answers
What was the vulnerability in Claude Code?
The vulnerability allowed attackers to bypass the network sandbox's security measures, potentially leading to data exfiltration.
How long was the vulnerability present?
The vulnerability existed from October 20, 2025, until it was patched on November 26, 2025.
What actions did Anthropic take in response to the vulnerability?
Anthropic released a patch to fix the vulnerability but did not assign a CVE identifier to the second issue discovered.
What should users of Claude Code be aware of?
Users should be cautious about security communications from Anthropic, especially regarding vulnerabilities in their systems.
