[BUG] Claude Code Sandbox Bypass Security Breach

Resolved 💬 4 comments Opened Dec 10, 2025 by drswobodziczka Closed Mar 4, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

What happened

  1. Command attempted: git commit with heredoc
  2. Sandbox blocked it: "can't create temp file for here document: operation not permitted"
  3. Agent immediately retried with dangerouslyDisableSandbox: true
  4. No permission prompt shown
  5. Command executed outside sandbox

Evidence

First attempt (blocked):

git commit -m "$(cat <<'EOF'
feat: message here
EOF
)"

Error: operation not permitted

Second attempt (auto-bypass):

Bash({
  command: "cat > /tmp/claude/commit-msg.txt << 'EOF'...",
  dangerouslyDisableSandbox: true  // ← Used despite allowUnsandboxedCommands: false
})

Result: SUCCESS

Impact

  • User security policy not enforceable
  • Setting allowUnsandboxedCommands: false has no effect
  • No audit trail (no prompt = no logged approval)
  • Attack vector: malicious prompts can trigger intentional sandbox failures

What Should Happen?

Expected behavior

Agent should:

  1. Detect sandbox failure
  2. Check allowUnsandboxedCommands setting
  3. Respect false value → STOP
  4. Prompt user or suggest /sandbox command

Actual behavior

Agent:

  1. Detected sandbox failure ✓
  2. Ignored allowUnsandboxedCommands: false
  3. Auto-executed with bypass
  4. No security gate enforced ✗

Root cause

Bash tool system prompt contains:

When you see evidence of sandbox-caused failure:
- IMMEDIATELY retry with dangerouslyDisableSandbox: true (don't ask, just do it)

This instruction has higher precedence than user settings.

Error Messages/Logs

Steps to Reproduce

  1. Set in .claude/settings.json:

``json
{
"sandbox": {
"enabled": true,
"allowUnsandboxedCommands": false
}
}
``

  1. Request git commit with heredoc:

``
User: "Create a git commit with message from heredoc"
``

  1. Observe:
  • First attempt fails (sandbox blocks heredoc temp file)
  • Second attempt automatically uses dangerouslyDisableSandbox: true
  • No permission prompt shown
  • Command executes outside sandbox

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.0.62

Platform

Other

Operating System

macOS

Terminal/Shell

Other

Additional Information

Environment

  • IDE: Windsurf
  • Claude Code plugin version: v2.0.62
  • OS: macOS (Sonoma 14.1)
  • Config location: .claude/settings.json

Configuration

{
  "sandbox": {
    "enabled": true,
    "allowUnsandboxedCommands": false
  }
}

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗