CVE-2025-66479
📋 TL;DR
A vulnerability in Anthropic Sandbox Runtime versions before 0.0.16 allows sandboxed processes to bypass network restrictions when the sandbox policy does not specify any allowed domains, enabling unauthorized network requests. This affects users of sandbox-runtime who rely on it to enforce network isolation for arbitrary processes without containerization. The bug is in the sandboxing logic, where missing domain configurations fail to block all network traffic.
💻 Affected Systems
- Anthropic Sandbox Runtime
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sandboxed malicious code could exfiltrate sensitive data, communicate with command-and-control servers, or launch attacks on internal or external networks, compromising system integrity and confidentiality.
Likely Case
Inadvertent or low-privilege sandboxed processes may access unintended network resources, potentially leading to data leakage or unauthorized actions, though impact depends on the specific sandboxed application.
If Mitigated
If proper sandbox policies include allowed domains or other network controls, the vulnerability is mitigated, limiting network access as intended.
🎯 Exploit Status
Exploitation requires the ability to execute code within a sandboxed process and a misconfigured policy; no authentication bypass is needed beyond that.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.0.16
Vendor Advisory: https://github.com/anthropic-experimental/sandbox-runtime/security/advisories/GHSA-9gqj-5w7c-vx47
Restart Required: Yes
Instructions:
1. Update sandbox-runtime to version 0.0.16 or later using package manager or manual installation. 2. Restart any processes or services using sandbox-runtime to apply the fix. 3. Verify the update with version check commands.
🔧 Temporary Workarounds
Configure allowed domains in sandbox policy
linuxModify the sandbox policy to include at least one allowed domain, which enforces network restrictions and prevents the bypass.
Edit the sandbox policy file to add 'allowed_domains' configuration, e.g., 'allowed_domains: ["example.com"]'
🧯 If You Can't Patch
- Ensure all sandbox policies specify allowed domains to enforce network restrictions.
- Monitor network traffic from sandboxed processes for unauthorized outbound connections and block suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check the sandbox-runtime version; if it is below 0.0.16 and the sandbox policy lacks allowed domains, the system is vulnerable.Check Version:
sandbox-runtime --version or check package manager output (e.g., dpkg -l sandbox-runtime)Verify Fix Applied:
After updating to 0.0.16 or later, test sandboxed processes with a policy without allowed domains to confirm network requests are blocked.📡 Detection & Monitoring
Log Indicators:
- Logs showing sandboxed processes making unexpected network connections or errors related to sandbox enforcement failures.
Network Indicators:
- Unusual outbound network traffic from processes expected to be sandboxed, especially to unauthorized domains.
SIEM Query:
Example: search for network events where source process matches sandbox-runtime and destination is not in allowed domains list.