Anthropic's Claude Code network sandbox funnels outbound traffic through a local allowlist proxy to block unapproved connections. A vulnerability involving a SOCKS5 hostname null-byte injection allowed attackers to bypass this filter by appending a null byte to a hostname, causing the OS to truncate the string and connect to an unauthorized host. This bypass existed from October 20, 2025, until fixed in version 2.1.88 released on March 31, 2026. The vulnerability was reported through Anthropic's bug bounty program but was already patched prior to the report. Anthropic did not assign a CVE or include the fix in release notes, and the patch was applied to the underlying 'sandbox-runtime' library rather than Claude Code itself. The bypass could have been exploited in combination with prompt injection attacks to exfiltrate sensitive data such as environment variables and credentials.

The vulnerability allowed attackers to bypass network sandbox restrictions designed to limit outbound connections, potentially enabling unauthorized data exfiltration. When combined with prompt injection attacks, it could have exposed environment variables, credentials, tokens, and infrastructure data. However, there are no reports of active exploitation in the wild. The patch was released before public disclosure, reducing the risk to users who applied updates promptly. Lack of clear communication and CVE assignment may have delayed user awareness and mitigation.

Anthropic fixed the vulnerability in Claude Code version 2.1.88 released on March 31, 2026, by updating the underlying sandbox-runtime library. Users should ensure they are running version 2.1.88 or later to be protected. Since the service is not cloud-hosted, manual updates are required. Anthropic did not provide a CVE or detailed release notes for this fix, so users should verify their version and update accordingly. No additional mitigation actions are indicated by the vendor.