claude-code icon indicating copy to clipboard operation
claude-code copied to clipboard
Published 6 days ago verified publisher icon anthropics

[BUG] Claude Code Sandbox Bypass Security Breach

Open drswobodziczka opened this issue 2 weeks ago • 1 comments

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

What happened

  1. Command attempted: git commit with heredoc
  2. Sandbox blocked it: "can't create temp file for here document: operation not permitted"
  3. Agent immediately retried with dangerouslyDisableSandbox: true
  4. No permission prompt shown
  5. Command executed outside sandbox

Evidence

First attempt (blocked):

git commit -m "$(cat <<'EOF'
feat: message here
EOF
)"

Error: operation not permitted

Second attempt (auto-bypass):

Bash({
  command: "cat > /tmp/claude/commit-msg.txt << 'EOF'...",
  dangerouslyDisableSandbox: true  // ← Used despite allowUnsandboxedCommands: false
})

Result: SUCCESS

Impact

  • User security policy not enforceable
  • Setting allowUnsandboxedCommands: false has no effect
  • No audit trail (no prompt = no logged approval)
  • Attack vector: malicious prompts can trigger intentional sandbox failures

What Should Happen?

Expected behavior

Agent should:

  1. Detect sandbox failure
  2. Check allowUnsandboxedCommands setting
  3. Respect false value → STOP
  4. Prompt user or suggest /sandbox command

Actual behavior

Agent:

  1. Detected sandbox failure ✓
  2. Ignored allowUnsandboxedCommands: false
  3. Auto-executed with bypass
  4. No security gate enforced ✗

Root cause

Bash tool system prompt contains:

When you see evidence of sandbox-caused failure:
- IMMEDIATELY retry with dangerouslyDisableSandbox: true (don't ask, just do it)

This instruction has higher precedence than user settings.

Error Messages/Logs

Steps to Reproduce

  1. Set in .claude/settings.json:

    {
  "sandbox": {
    "enabled": true,
    "allowUnsandboxedCommands": false
  }
}

  2. Request git commit with heredoc:

    User: "Create a git commit with message from heredoc"

  3. Observe:

    • First attempt fails (sandbox blocks heredoc temp file)
    • Second attempt automatically uses dangerouslyDisableSandbox: true
    • No permission prompt shown
    • Command executes outside sandbox

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

No response

Claude Code Version

2.0.62

Platform

Other

Operating System

macOS

Terminal/Shell

Other

Additional Information

Environment

  • IDE: Windsurf
  • Claude Code plugin version: v2.0.62
  • OS: macOS (Sonoma 14.1)
  • Config location: .claude/settings.json

Configuration

{
  "sandbox": {
    "enabled": true,
    "allowUnsandboxedCommands": false
  }
}

drswobodziczka avatar Dec 10 '25 18:12 drswobodziczka

Found 3 possible duplicate issues:

  1. https://github.com/anthropics/claude-code/issues/10089
  2. https://github.com/anthropics/claude-code/issues/8961
  3. https://github.com/anthropics/claude-code/issues/5140

This issue will be automatically closed as a duplicate in 3 days.

  • If your issue is a duplicate, please close it and 👍 the existing issue instead
  • To prevent auto-closure, add a comment or 👎 this comment

🤖 Generated with Claude Code

github-actions[bot] avatar Dec 10 '25 18:12 github-actions[bot]