Anthropic's Claude Code, an AI programming tool, has been found to contain a significant security vulnerability in its network sandbox feature. Independent researcher Aonan Guan discovered an empty byte injection attack in the SOCKS5 protocol, allowing unauthorized access to restricted hosts. This flaw has been present since the sandbox's launch in October 2025, affecting all versions until a silent patch was applied on April 1, 2026. Despite the severity, Anthropic has not issued a security advisory or CVE, leaving users unaware of the risk.
The vulnerability exploits a discrepancy in how JavaScript and C handle null bytes, enabling attackers to bypass domain restrictions. This issue, combined with a previously disclosed prompt injection attack, poses a significant threat to sensitive data security. Anthropic's handling of the situation, including a lack of transparency and communication, has drawn criticism from the security community, highlighting the need for robust disclosure practices and effective security measures.
Claude Code AI Tool Exposed to Major Security Vulnerability
Avertissement : Le contenu proposé sur Phemex News est à titre informatif uniquement. Nous ne garantissons pas la qualité, l'exactitude ou l'exhaustivité des informations provenant d'articles tiers. Ce contenu ne constitue pas un conseil financier ou d'investissement. Nous vous recommandons vivement d'effectuer vos propres recherches et de consulter un conseiller financier qualifié avant toute décision d'investissement.