Anthropic's Claude Code, an AI programming tool, has been found to contain a significant security vulnerability in its network sandbox feature. Independent researcher Aonan Guan discovered an empty byte injection attack in the SOCKS5 protocol, allowing unauthorized access to restricted hosts. This flaw has been present since the sandbox's launch in October 2025, affecting all versions until a silent patch was applied on April 1, 2026. Despite the severity, Anthropic has not issued a security advisory or CVE, leaving users unaware of the risk.
The vulnerability exploits a discrepancy in how JavaScript and C handle null bytes, enabling attackers to bypass domain restrictions. This issue, combined with a previously disclosed prompt injection attack, poses a significant threat to sensitive data security. Anthropic's handling of the situation, including a lack of transparency and communication, has drawn criticism from the security community, highlighting the need for robust disclosure practices and effective security measures.
Claude Code AI Tool Exposed to Major Security Vulnerability
Aviso legal: El contenido de Phemex News es únicamente informativo.No garantizamos la calidad, precisión ni integridad de la información procedente de artículos de terceros.El contenido de esta página no constituye asesoramiento financiero ni de inversión.Le recomendamos encarecidamente que realice su propia investigación y consulte con un asesor financiero cualificado antes de tomar cualquier decisión de inversión.