Anthropic’s Claude Code Faces Security Scrutiny Over Unreported Vulnerabilities

Two bypass vulnerabilities have been discovered in Anthropic's Claude Code, which were patched without public disclosure, raising alarms about user safety and the transparency of AI security practices. Security researcher Aonan Guan identified these flaws, which could have allowed attackers to exfiltrate sensitive information, including cloud credentials and source code, from within the network's sandbox environment.

Guan, who leads cloud and AI security at Wyze Labs, reported these issues to Anthropic, marking the second time in five months that significant vulnerabilities were fixed without a Common Vulnerability and Exposure (CVE) designation or an accompanying advisory. The latest flaw involved a SOCKS5 hostname null-byte injection that could bypass the sandbox's allowlist filter. This vulnerability potentially exposed users to prompt injection attacks, which are particularly alarming.

For those using Claude Code with a wildcard allowlist on systems handling credentials, there was a critical five-and-a-half-month period during which the network boundary was effectively nonexistent. Guan warned that this window should be considered a potential exfiltration event, underscoring the serious implications of the oversight.

Lack of Transparency in Vulnerability Disclosure

Anthropic claims it identified and addressed the issue prior to receiving Guan's report. The company stated that the fix was included in the public commit for the sandbox-runtime repository as part of the Claude Code version 2.1.88 update released on March 31. However, Guan's concerns extend beyond the timing of the fix. He stresses the need for transparency in vulnerability disclosures, particularly in the AI sector, where users often lack insight into the risks associated with the tools they use.

"Shipping a sandbox with a hole is worse than not shipping one," Guan said, highlighting the dangers users face when they assume their systems are secure. The lack of a proper advisory or CVE leaves users unaware of potential security risks, exacerbating the problem.

The Responsibility of AI Developers

The history of vulnerability disclosures in the AI field raises questions about the responsibilities of developers like Anthropic. Guan notes that while some vendors provide CVEs, others do not, leading to inconsistent practices across the industry. He advocates for a standardized advisory process to keep users informed of potential risks, stating, "The users need to know the risk is real, and they may never know."

He hopes that larger technology companies will take greater responsibility in communicating security issues to users, similar to conducting background checks and defining permissions before granting access to systems. This diligence is essential for maintaining user trust and making sure the safe deployment of AI tools.

Moving Forward

As the AI sector evolves, the importance of security in AI agents cannot be overlooked. Users should take proactive measures to secure their systems, whether through third-party security solutions or user-managed runtime isolation. The incidents involving Claude Code serve as a reminder that the burden of security often falls on end users, who may struggle to handle the challenges without clear guidance from developers.

As the industry progresses, the demand for greater transparency and accountability remains critical. The recent vulnerabilities within Claude Code underscore the urgent need for a more stable approach to security in AI development, making sure that users are not left uninformed about the tools they depend on.