Two patched vulnerabilities in Claude Code’s network sandbox could bypass connection restrictions. One flaw involves SOCKS5 hostname null-byte injection that can trick the sandbox allowlist filter into permitting connections that should be blocked. When combined with prompt injection, the attacker can cause Claude to read hidden instructions and execute attacker-controlled code inside the sandbox. That code can exfiltrate any data reachable from the sandbox, including cloud and GitHub credentials, the GitHub token used for authentication, cloud metadata, and internal APIs. The researcher reported both flaws and warned that systems using wildcard allowlists faced an exposure window during which network boundaries did not exist. Anthropic states the latest issue was fixed before the report and points to a public commit shipped in Claude Code 2.1.88.
"Two now-patched bypass bugs in Claude Code's network sandbox put users at risk, and one of these allows baddies to send anything inside the sandbox - credentials, source code, other private data - to any server on the internet, according to a researcher who found and reported both flaws to Anthropic."
"The latest issue was a SOCKS5 hostname null-byte injection that can be exploited to trick the sandbox allowlist filter into approving connections it should block. It's especially dangerous when combined with prompt injection, which Guan previously detailed in his earlier comment and control research."
"When paired with prompt injection, the new flaw can be abused to force Claude to read hidden instructions and then run attacker-controlled code in the sandbox, allowing miscreants to exfiltrate anything the sandbox could reach. This includes cloud and GitHub credentials, the GitHub token Claude authenticated with, cloud metadata and internal APIs."
""For anyone who ran Claude Code with a wildcard allowlist on a credential-bearing system, the network boundary did not exist for the 5.5 months from sandbox GA to v2.1.90," Guan wrote in research published Wednesday. "Treat that window as a potential exfiltration event.""
Read at theregister
Unable to calculate read time
Collection
[
|
...
]