Anthropic Silently Patches Claude Code Sandbox Bypass

A cybersecurity researcher says Anthropic has silently patched a vulnerability that would have allowed an attacker to bypass the Claude Code network sandbox, potentially enabling data exfiltration.

Claude Code’s network sandbox funnels all outbound traffic through a local allowlist proxy, silently blocking any connection to unapproved hosts.

According to vulnerability researcher Aonan Guan, two Claude Code network sandbox bypasses were discovered recently. One of them, tracked as CVE-2025-66479 and discovered by a different researcher, was related to the sandbox interpreting a setting to block all outbound traffic as ‘allow everything’.

This issue was fixed with an update released on November 26, 2025.

The second sandbox bypass vulnerability, discovered by Guan, has been described as a SOCKS5 hostname null-byte injection issue.

Anthropic Silently Patches Claude Code Sandbox Bypass

Other newsrooms on this story

Related reading

Anthropic’s Claude Is Pumping Out Vulnerable Code, Cyber Experts Warn

Other newsrooms on this story

Related reading

Anthropic’s Claude Is Pumping Out Vulnerable Code, Cyber Experts Warn

Anthropic accidentally leaks Claude Code source in npm slip

Anthropic adds self-hosted sandboxes and MCP tunnels to Claude Managed Agents

Claude’s new AI file-creation feature ships with security risks built in

How Anthropic discovered and blocked an AI-orchestrated cyber attack - TechTalks

The Claude Code RCE: How Eager Parsing Led to Remote Execution