Anthropic's Claude Code, an AI programming tool, has been found to contain a significant security vulnerability in its network sandbox feature. Independent researcher Aonan Guan discovered an empty byte injection attack in the SOCKS5 protocol, allowing unauthorized access to restricted hosts. This flaw has been present since the sandbox's launch in October 2025, affecting all versions until a silent patch was applied on April 1, 2026. Despite the severity, Anthropic has not issued a security advisory or CVE, leaving users unaware of the risk.
The vulnerability exploits a discrepancy in how JavaScript and C handle null bytes, enabling attackers to bypass domain restrictions. This issue, combined with a previously disclosed prompt injection attack, poses a significant threat to sensitive data security. Anthropic's handling of the situation, including a lack of transparency and communication, has drawn criticism from the security community, highlighting the need for robust disclosure practices and effective security measures.
Claude Code AI Tool Exposed to Major Security Vulnerability
Disclaimer: The content provided on Phemex News is for informational purposes only. We do not guarantee the quality, accuracy, or completeness of the information sourced from third-party articles. The content on this page does not constitute financial or investment advice. We strongly encourage you to conduct you own research and consult with a qualified financial advisor before making any investment decisions.