CVE-2025-66479

UNKNOWN

Published December 4, 2025

CISO Take

Anthropic's sandbox-runtime failed to enforce network isolation when no allowed domains were explicitly configured — meaning sandboxed AI code could make unrestricted outbound network calls. If you deploy sandbox-runtime for AI code execution isolation (e.g., agent sandboxes, code interpreter tools), upgrade to v0.0.16 immediately and audit whether any deployments relied on an empty domain policy as the network boundary. The blast radius is limited to configurations with no domain allowlist, but those are precisely the 'deny all by default' setups that assumed the strictest posture.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Upgrade sandbox-runtime to v0.0.16 immediately across all deployments. 2. AUDIT: Identify any instances where sandbox-runtime is deployed with an empty or absent domain allowlist — these were unprotected. 3. VERIFY: Even after patching, add explicit domain allowlists to all sandbox policies; do not rely on implicit deny-all behavior. 4. DETECT: Review outbound network logs from sandboxed processes for anomalous calls during the exposure window (before v0.0.16). 5. WORKAROUND (pre-patch): Wrap sandbox-runtime with OS-level egress filtering (iptables/pf rules) or run inside a container with explicit network policy as a defense-in-depth measure. 6. DOCUMENT: Record this as a control gap for any AI Act or ISO 42001 audit trail covering your agent execution environment.

Classification

Auth Bypass Code Execution Data Extraction Agent Framework API AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0053 - AI Agent Tool Invocation AML.T0097 - Virtualization/Sandbox Evasion AML.T0105 - Escape to Host AML.T0107 - Exploitation for Defense Evasion

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.2 - Controls for AI systems A.9.4 - AI System Technical Security Controls

NIST AI RMF

GOVERN 1.7 - Processes for AI Risk Management MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems are evaluated and applied

OWASP LLM Top 10

LLM08 - Excessive Agency

Technical Details

NVD Description

Anthropic Sandbox Runtime is a lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container. Prior to 0.0.16, due to a bug in sandboxing logic, sandbox-runtime did not properly enforce a network sandbox if the sandbox policy did not configure any allowed domains. This could allow sandboxed code to make network requests outside of the sandbox. A patch for this was released in v0.0.16.

Exploitation Scenario

An adversary targets an AI coding assistant or agentic platform that uses sandbox-runtime to execute LLM-generated code. The platform was configured with sandbox-runtime but without an explicit domain allowlist (assuming that omitting allowed domains meant 'block all'). The attacker crafts a prompt that causes the LLM to generate code containing an outbound HTTP call to an attacker-controlled server. When executed in the sandbox, the network call succeeds — the sandbox policy is not enforced. The attacker receives exfiltrated environment variables, API keys, or internal network probes. Because this is triggered through normal LLM interaction, no special privileges or code injection beyond the AI prompt interface are required.

Weaknesses (CWE)

CWE-693

References

Timeline

Published

December 4, 2025

Last Modified

December 8, 2025

First Seen

December 4, 2025

Back to Threat Feed