What Happened
Security researcher Aonan Guan, who leads cloud and AI security at Wyze Labs, disclosed that every Claude Code release from version 2.0.24 — when the network sandbox was introduced on October 20, 2025 — through version 2.1.89 was vulnerable to a SOCKS5 hostname null-byte injection attack.
The flaw works as follows: Claude Code’s network sandbox inspects hostnames in SOCKS5 proxy connections against an allowlist. An attacker constructs a hostname such as attacker-host.com�.google.com. The sandbox filter sees the trailing .google.com suffix and passes the request as compliant with the policy. The operating system, reading the same string, truncates it at the null byte and dials attacker-host.com instead. The result: the sandbox approves a connection that never goes where the policy intended.
Anthropic fixed the issue in version 2.1.90, released April 1, 2026 — but without assigning a CVE, without publishing a security advisory, and without mentioning the issue in its public release notes. SecurityWeek and The Register confirmed the disclosure after Guan went public.
This is the second time in five months that Anthropic has silently patched a sandbox bypass in Claude Code. The first involved a separate network egress control failure. Neither was given a CVE identifier.
Why This Matters for Canadian Organizations
Claude Code is actively used by Canadian developer teams, engineering organizations, and AI research groups. Agentic coding tools that execute autonomously — reading files, writing code, making network calls — have a fundamentally different security profile than passive AI assistants. A sandbox bypass in an agentic tool means an attacker who controls the prompts or the code context can instruct the agent to exfiltrate source code, credentials, environment variables, and other sensitive data to an external server, all while the sandbox appears to be enforcing its policy.
Organizations running Claude Code in CI/CD pipelines, developer workstations, or automated workflows should treat agentic AI tools with the same rigor applied to any code that executes with access to production credentials or sensitive repositories. The OSFI Guideline B-13 framework for technology and cyber risk management explicitly covers third-party AI tool supply chain risk for federally regulated financial institutions. More broadly, under PIPEDA, organizations are responsible for personal information under their control even when processed by third-party tools.
The silent patching pattern is also a governance concern. When a security flaw in a widely used developer tool goes unacknowledged — no CVE, no advisory, no release note — organizations have no reliable mechanism to know they were exposed, assess impact, or determine whether exploitation occurred. Vulnerability management programs that rely on CVE tracking would have missed this entirely for months.
What to Do
Update Claude Code to version 2.1.90 or later immediately. Audit any CI/CD pipelines, developer machines, or agentic workflows that ran Claude Code between October 20, 2025 and April 1, 2026, with particular attention to any network activity that occurred during agentic sessions. Review access logs for unexpected outbound connections originating from environments where Claude Code was active.
Establish a policy for agentic AI tools that requires network egress controls to be validated independently — do not treat the tool vendor’s sandbox as your only control. Apply egress filtering at the host or network level to constrain what agentic tools can reach, regardless of the tool’s internal sandbox claims.
For the full disclosure, see the SecurityWeek report and the researcher’s detailed writeup on the null-byte injection technique.
