Aonan Guan published a (second) complete bypass of Claude Code’s network sandbox. The outcome is that a process inside the sandbox can reach a host that Claude Code’s allowlist says to block, with the consequence that Claude Code can exfiltrate whatever it can touch.
First-principle learnings:
- never bet on a single trust boundary, especially if you don’t control it. Layer your defenses.
- a broken sandbox is even worse than no sandbox, if the user is counting on it for containment.
The vendor sandbox is only the inner ring of defense, it is not the “wall”. That wall needs to live somewhere the agent cannot control, such as a VM or container with strict egress networking rules enforced outside the agent’s influence.