Viss

https://oddguan.com/blog/second-time-same-sandbox-anthropic-claude-code-network-allowlist-bypass-data-exfiltration/

if you use claude code
anywhere
for anything

do not run it where there are secrets or sensitive files. if claude code has access to things, this is just another way it can ruin your day/week/month/year

Second Time, Same Sandbox: Another Anthropic Claude Code Network Sandbox Bypass Enables Data Exfiltration

For the second time in five months, Anthropic Claude Code's network sandbox lets a process inside reach hosts the user's policy says to block, and exfiltrate any data the process touches. Every Claude Code release from 2.0.24 (sandbox GA on 2025-10-20) through 2.1.89 was vulnerable to a SOCKS5 hostname null-byte injection. About 5.5 months and ~130 versions, including the release that silently fixed the first sandbox bypass. Both findings ended in a silent fix and no Claude Code security advisory.

Aonan Guan
May 20 at 5:14pmWeb
Show threadJason Petersen (he)1d ago
@Viss I cannot stress this enough: there is a limit to how much work I will do to secure an employer who is pushing this stuff as must-use and that limit is fairly quick