Anthropic Silently Patches Claude Code Sandbox Bypass

The recent discovery of a null‑byte hostname injection in Anthropic's Claude Code sandbox underscores a growing class of AI‑driven attack vectors. By manipulating the allowlist proxy, an attacker could present a crafted hostname like "attacker-host.com\0.google.com," tricking the filter into approving the connection while the operating system truncates at the null byte and reaches the malicious host. This bypass was active from the service’s general availability in October 2025 until the March 31, 2025 release of version 2.1.88, which incorporated the fix in the sandbox‑runtime library. Although Anthropic applied the patch before the researcher’s formal report, the lack of a CVE identifier and omission from public release notes left users unaware of the risk.

The vulnerability gains particular relevance when paired with prompt‑injection techniques such as the "Comment and Control" method disclosed by the same researcher. Prompt injection can coerce AI agents into executing unintended commands, and when combined with a sandbox bypass, it creates a conduit for exfiltrating environment variables, API keys, and other sensitive infrastructure data. This synergy illustrates how AI code‑generation tools, GitHub Actions, and other automation pipelines can become attack surfaces if their runtime environments are not rigorously isolated.

Anthropic's handling of the issue raises broader questions about responsible disclosure in the AI ecosystem. Assigning CVEs and clearly communicating fixes are essential for maintaining trust among enterprise customers who rely on AI assistants for critical workflows. As AI integration deepens across development and operations, vendors must adopt transparent vulnerability management practices, and organizations should proactively audit sandbox configurations and monitor for anomalous outbound traffic to mitigate similar threats.