Anthropic's AI coding assistant contained critical sandbox vulnerabilities that allowed potential data exfiltration, yet the company failed to properly disclose the risks to users, raising concerns about transparency in AI security practices.
Security researchers have uncovered dangerous vulnerabilities in Anthropic's Claude Code that could have allowed attackers to bypass network security controls and extract sensitive data, including credentials and source code. Despite the severity of these flaws, Anthropic patched them without issuing proper security advisories or CVE identifiers, leaving users in the dark about potential exposure.
The most recent vulnerability, a SOCKS5 hostname null-byte injection, could trick Claude Code's network sandbox filter into approving connections that should have been blocked. When combined with prompt injection techniques, this flaw created a pathway for attackers to force the AI assistant to read hidden instructions and execute attacker-controlled code within the sandbox environment.
"For anyone who ran Claude Code with a wildcard allowlist on a credential-bearing system, the network boundary did not exist for the 5.5 months from sandbox GA to v2.1.90," explained Aonan Guan, security researcher at Wyze Labs who discovered both vulnerabilities. "Treat that window as a potential exfiltration event."
The compromised sandbox could reach and extract various sensitive data, including:
- Cloud credentials and API keys
- GitHub authentication tokens
- Source code and proprietary information
- Cloud metadata and internal APIs
This isn't an isolated incident. According to Guan, this marks the second time in five months that Anthropic has silently fixed a sandbox bypass vulnerability in Claude Code without issuing a CVE or specific security advisory. The earlier vulnerability, reported in December 2025, was eventually assigned CVE-2025-66479, but only for Anthropic's sandbox-runtime package, not specifically for Claude Code itself.
The lack of transparency creates significant compliance risks under regulations like GDPR and CCPA. Organizations using Claude Code may have unknowingly exposed sensitive user data or proprietary information, potentially triggering mandatory breach notifications and substantial fines. Under GDPR, penalties for data protection failures can reach up to 4% of global annual turnover or €20 million, whichever is higher. Similarly, CCPA violations can result in penalties of up to $7,500 per intentional violation.
When approached for comment, Anthropic acknowledged the vulnerability had been fixed before Guan's report and pointed to a public commit in their sandbox-runtime repository. However, the company maintained that no CVE was necessary because "the root cause is in the library." This approach leaves users without clear visibility into whether their implementation of Claude Code might still be vulnerable.
"The core issue is that this was a bypass of a user-configured network sandbox, and there's still no advisory, no CVE, and no changelog note," Guan emphasized. "Shipping a sandbox with a hole is worse than not shipping one. The user with no sandbox knows they have no boundary. The user with a broken sandbox thinks they do."
Notably, even Claude itself acknowledged the severity of the vulnerability when presented with it, responding with "This is a real bypass of the network sandbox filter." This self-awareness underscores the legitimacy of Guan's findings.
The broader pattern of inadequate vulnerability disclosure in AI systems raises serious concerns about user protection. As AI agents become more prevalent in workplaces and handle increasingly sensitive data, the lack of standardized security practices creates significant risks. Users are often left unaware of vulnerabilities that may have exposed their data, with no clear guidance on whether they need to take remediation actions.
Guan suggests that companies should treat AI agents more like employees than ordinary software tools, implementing proper access controls and monitoring. "Before hiring an employee, companies do background checks. Before giving them access to systems, they define permissions. The same discipline should apply to AI agents," he stated.
For organizations using Claude Code or similar AI coding assistants, this situation highlights the critical importance of implementing additional security layers beyond vendor promises. Companies should:
- Implement network segmentation to limit AI agent access
- Monitor for unusual data exfiltration attempts
- Consider runtime isolation technologies
- Demand transparency about security practices from AI vendors
The incident also calls for industry-wide standards for AI vulnerability disclosure that balance researcher incentives with user rights to know about potential exposures. As AI systems become more integrated into critical workflows, the responsibility for securing these technologies cannot remain solely with end users.
Comments
Please log in or register to join the discussion