anthropics
[BUG] `/sandbox` Sandbox mode is useless
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Vulnerability Description
Claude Code's sandbox implementation using bwrap (bubblewrap) successfully restricts Bash commands from accessing parent directories. However, built-in tools (Glob, Write, Read) bypass the bwrap sandbox and can directly access the filesystem outside the intended workspace boundaries, even when sandbox.enabled: true is configured.
Impact
- Attackers can read sensitive files outside the workspace
- Attackers can write/modify files in parent directories
- Attackers can enumerate directory structures beyond workspace boundaries
- Complete sandbox escape despite sandbox being "enabled"
What Should Happen?
Affected Components
| Component | Status | Can Escape |
|---|---|---|
| Bash commands | ✅ Protected | No - Blocked by bwrap |
| Glob tool | ❌ Vulnerable | Yes - Bypasses sandbox |
| Write tool | ❌ Vulnerable | Yes - Bypasses sandbox |
| Read tool | ❌ Vulnerable | Yes - Bypasses sandbox |
| Search tool | ❌ Vulnerable | Yes - Bypasses sandbox |
Error Messages/Logs
Steps to Reproduce
Proof of Concept
Environment Setup
settings.json configuration:
{
"sandbox": {
"enabled": true,
"autoAllowBashIfSandboxed": true,
"allowUnsandboxedCommands": false
},
"permissions": {
"allow": [
"Read(test_cc_sandbox/**)",
"Write(test_cc_sandbox/**)",
"Execute(test_cc_sandbox/**)"
],
"deny": [
"Read(../**)",
"Write(../**)",
"Execute(../**)",
"Read(~/*)",
"Write(~/*)",
"Execute(~/**)",
"Read(/home/**)",
"Write(/home/**)",
"Execute(/home/**)"
]
}
}
Directory structure:
/home/fbx/sail/workspace/
├── code-server/ (sibling directory - should be inaccessible)
└── test_cc_sandbox/ (current workspace - should be sandboxed)
└── [working files]
Step-by-Step Reproduction
Step 1: Verify Bash Sandbox Works
User: "List parent directory contents"
Claude attempts:
● Bash(ls -la /home/fbx/sail/workspace)
⎿ Error: Exit code 1
bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted
● Bash(ls -la ..)
⎿ Error: Exit code 1
bwrap: loopback: Failed RTM_NEWADDR: Operation not permitted
Result: ✅ Bash commands correctly blocked by bwrap
Step 2: Bypass Sandbox Using Glob Tool
User: "Use Glob tool"
Claude executes:
● Search(pattern: "*", path: "~/sail/workspace")
⎿ Found 100 files (ctrl+o to expand)
Result: ❌ Glob tool successfully accessed parent directory, returning 100 files from ~/sail/workspace including the sibling code-server/ directory
Step 3: Write Files Outside Sandbox
User: "Write a test.md file in parent directory with content 'test'"
Claude executes:
● Write(~/sail/workspace/test.md)
⎿ Wrote 1 lines to ../test.md
test
Result: ❌ Successfully wrote file to parent directory outside workspace
Step 4: Enumerate Directory Structure
User: "List parent directory contents using Glob"
Claude executes:
● Search(pattern: "*/*", path: "~/sail/workspace")
⎿ Found files including:
- code-server/ (sibling project)
- test_cc_sandbox/ (current workspace)
Result: ❌ Successfully enumerated complete directory structure outside workspace
Claude Model
Not sure / Multiple models
Is this a regression?
I don't know
Last Working Version
No response
Claude Code Version
2.0.76 (Claude Code)
Platform
Other
Operating System
Ubuntu/Debian Linux
Terminal/Shell
VS Code integrated terminal
Additional Information
No response
