A critical null-byte injection vulnerability in Anthropic’s Claude Code network sandbox allowed any process running within it to silently bypass egress restrictions and connect to explicitly blocked hosts, potentially exposing AWS credentials, API keys, GitHub tokens, and environment variables for over five months across approximately 130 published versions.
Security researcher Aonan Guan publicly disclosed the flaw on May 20, 2026, marking the second complete sandbox bypass in five months and the second time Anthropic shipped a silent fix without issuing a formal security advisory.
Claude Code’s network sandbox is designed to funnel all outbound traffic through a local SOCKS5 allowlist proxy, restricting egress to user-defined hostnames such as *.google.com. The bypass exploits a parser differential between JavaScript and the underlying C library libc.
When a CONNECT request is issued, the SOCKS5 proxy passes raw DOMAINNAME bytes into a JavaScript endsWith() check against the wildcard allowlist.
JavaScript treats \x00 as an ordinary UTF-16 code unit, so a crafted hostname like attacker-host.com\x00.google.com evaluates as ending with .google.com and is approved by the policy filter.
However, when that same string reaches getaddrinfo() in libc for DNS resolution, the C runtime truncates at the null byte and resolves only attacker-host.com the host the policy was explicitly configured to block. The outbound channel opens silently, with no error logged.
“The blocked host is reached, and the outbound exfiltration channel is open,” Guan stated. The attack becomes significantly more dangerous when chained with prompt injection.
A hidden instruction embedded in a GitHub issue comment, README file, or any document Claude Code reads during normal operation is sufficient to trigger attacker-controlled code inside the sandbox which can then invoke the null-byte bypass to exfiltrate data.
Prior to the patch in v2.1.90, an attacker exploiting this chain could silently exfiltrate:
- AWS credentials stored in
~/.aws/ - GitHub personal access tokens
- Model API keys and session tokens
- Environment variables containing secrets
- Cloud instance metadata via
169.254.169.254routed through the compromised SOCKS proxy
This is the second bypass of the same sandbox. The first, CVE-2025-66479, was a configuration semantics bug: setting allowedDomains: [] the most restrictive option intended to block all traffic caused the sandbox to evaluate 0 > 0 = false, disabling the proxy entirely and leaving all outbound traffic unrestricted.
That flaw was silently patched in v2.0.55 on November 26, 2025 the same release that introduced the null-byte injection vulnerability still intact.
Anthropic fixed the second bypass in sandbox-runtime 0.0.43 (commit fd74a3f), corresponding to Claude Code v2.1.90, released April 1, 2026.
The release notes contain no mention of a security fix. As of May 10, 2026, no CVE has been assigned, no advisory has been published, and no user outreach has been made for the 5.5-month vulnerable window.
Guan’s HackerOne report (#3646509) was closed as a duplicate of an internal ticket, with Anthropic indicating it had “not yet decided whether a CVE will be published.”
Affected Versions and Immediate Mitigation
Every Claude Code release from v2.0.24 through v2.1.89 is confirmed vulnerable. Users should act immediately:
- Update to Claude Code v2.1.90 or later (
claude --versionto confirm) - Audit outbound SOCKS-mediated connection logs for the October 20, 2025 April 1, 2026 window
- Rotate all credentials, API keys, and tokens accessible during the vulnerable period
- Enforce independent egress controls at the OS, container, or firewall level do not treat the vendor sandbox as a hard network boundary
The patch itself introduces an isValidHost() wrapper in sandbox-runtime 0.0.43 that rejects \x00, %, CRLF, and non-DNS characters before any hostname matching occurs a canonicalization layer that should have been present since the sandbox reached general availability on October 20, 2025.
No Comment! Be the first one.