Intel

AIKIDO-2026-99876

@anthropic-ai/sandbox-runtime is vulnerable to Improper Access Control

Improper Access Control Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

52

Medium Risk

This Affects:

JS@anthropic-ai/sandbox-runtime
0.0.1 - 0.0.54
Fixed in 0.0.55
Are you affected? Scan for Free

TL;DR

The sandbox routes restricted processes through loopback HTTP and SOCKS proxies that listen on 127.0.0.1 and enforce the configured network policy. These proxies require no authentication, so any local process can dial them and reach the proxy and its filter callback, undermining the intended per-session network isolation. The fix requires a per-session token (Basic auth for HTTP and SOCKS5 user/password for SOCKS) that is generated at init and exported only into the sandboxed child process environment. It also lets deniedDomains accept a bare "*" as a deny-all rule and adds a strictAllowlist mode that blocks off-allowlist hosts without falling back to the ask callback.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you rely on the sandbox's network restrictions to isolate untrusted processes.

Background info

@anthropic-ai/sandbox-runtime is vulnerable to Improper Access Control in versions 0.0.1 - 0.0.54.

How to fix this

Upgrade the @anthropic-ai/sandbox-runtime library to the patch version.