AI Threat Alert AI Threat Alert

CVE-2025-66479: Anthropic: Protection Bypass circumvents security controls

UNKNOWN
Published December 4, 2025
CISO Take

Anthropic's sandbox-runtime failed to enforce network isolation when no allowed domains were explicitly configured — meaning sandboxed AI code could make unrestricted outbound network calls. If you deploy sandbox-runtime for AI code execution isolation (e.g., agent sandboxes, code interpreter tools), upgrade to v0.0.16 immediately and audit whether any deployments relied on an empty domain policy as the network boundary. The blast radius is limited to configurations with no domain allowlist, but those are precisely the 'deny all by default' setups that assumed the strictest posture.

Risk Assessment

Medium risk. The vulnerability requires the deployer to have configured sandbox-runtime without any allowed domains — a configuration that should have enforced a complete network block but instead enforced nothing. Exploitability is trivial once an attacker can execute code inside the sandbox (which is the intended use case for AI agent code execution environments). Impact is significant for affected deployments: full unrestricted outbound network access from sandboxed code, enabling data exfiltration, C2 callback, or lateral movement to internal services. No CVSS assigned yet, but the combination of trivial exploitation and security boundary nullification warrants treating this as HIGH severity in affected environments.

Severity & Risk

CVSS 3.1
N/A
EPSS
0.0%
chance of exploitation in 30 days
Higher than 15% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Recommended Action

6 steps

  1. PATCH

    Upgrade sandbox-runtime to v0.0.16 immediately across all deployments.

  2. AUDIT

    Identify any instances where sandbox-runtime is deployed with an empty or absent domain allowlist — these were unprotected.

  3. VERIFY

    Even after patching, add explicit domain allowlists to all sandbox policies; do not rely on implicit deny-all behavior.

  4. DETECT

    Review outbound network logs from sandboxed processes for anomalous calls during the exposure window (before v0.0.16).

  5. WORKAROUND (pre-patch): Wrap sandbox-runtime with OS-level egress filtering (iptables/pf rules) or run inside a container with explicit network policy as a defense-in-depth measure.

  6. DOCUMENT

    Record this as a control gap for any AI Act or ISO 42001 audit trail covering your agent execution environment.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Code Execution Data Extraction Agent Framework API AML.T0010.001 AML.T0025 AML.T0053 AML.T0097 AML.T0105 AML.T0107

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.6.2 - Controls for AI systems A.9.4 - AI System Technical Security Controls
NIST AI RMF
GOVERN 1.7 - Processes for AI Risk Management MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems are evaluated and applied
OWASP LLM Top 10
LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-66479?

Anthropic's sandbox-runtime failed to enforce network isolation when no allowed domains were explicitly configured — meaning sandboxed AI code could make unrestricted outbound network calls. If you deploy sandbox-runtime for AI code execution isolation (e.g., agent sandboxes, code interpreter tools), upgrade to v0.0.16 immediately and audit whether any deployments relied on an empty domain policy as the network boundary. The blast radius is limited to configurations with no domain allowlist, but those are precisely the 'deny all by default' setups that assumed the strictest posture.

Is CVE-2025-66479 actively exploited?

No confirmed active exploitation of CVE-2025-66479 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-66479?

1. PATCH: Upgrade sandbox-runtime to v0.0.16 immediately across all deployments. 2. AUDIT: Identify any instances where sandbox-runtime is deployed with an empty or absent domain allowlist — these were unprotected. 3. VERIFY: Even after patching, add explicit domain allowlists to all sandbox policies; do not rely on implicit deny-all behavior. 4. DETECT: Review outbound network logs from sandboxed processes for anomalous calls during the exposure window (before v0.0.16). 5. WORKAROUND (pre-patch): Wrap sandbox-runtime with OS-level egress filtering (iptables/pf rules) or run inside a container with explicit network policy as a defense-in-depth measure. 6. DOCUMENT: Record this as a control gap for any AI Act or ISO 42001 audit trail covering your agent execution environment.

What systems are affected by CVE-2025-66479?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, code interpreter sandboxes, LLM-generated code execution environments, AI development tooling pipelines.

What is the CVSS score for CVE-2025-66479?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Anthropic Sandbox Runtime is a lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container. Prior to 0.0.16, due to a bug in sandboxing logic, sandbox-runtime did not properly enforce a network sandbox if the sandbox policy did not configure any allowed domains. This could allow sandboxed code to make network requests outside of the sandbox. A patch for this was released in v0.0.16.

Exploitation Scenario

An adversary targets an AI coding assistant or agentic platform that uses sandbox-runtime to execute LLM-generated code. The platform was configured with sandbox-runtime but without an explicit domain allowlist (assuming that omitting allowed domains meant 'block all'). The attacker crafts a prompt that causes the LLM to generate code containing an outbound HTTP call to an attacker-controlled server. When executed in the sandbox, the network call succeeds — the sandbox policy is not enforced. The attacker receives exfiltrated environment variables, API keys, or internal network probes. Because this is triggered through normal LLM interaction, no special privileges or code injection beyond the AI prompt interface are required.

Weaknesses (CWE)

CWE-693

References

Timeline

Published
December 4, 2025
Last Modified
December 8, 2025
First Seen
December 4, 2025

Related Vulnerabilities

CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Code Execution
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Code Execution
Back to Threat Feed