[BUG] Claude Code Sandbox Bypass Security Breach
Resolved 💬 4 comments Opened Dec 10, 2025 by drswobodziczka Closed Mar 4, 2026
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
What happened
- Command attempted:
git commitwith heredoc - Sandbox blocked it:
"can't create temp file for here document: operation not permitted" - Agent immediately retried with
dangerouslyDisableSandbox: true - No permission prompt shown
- Command executed outside sandbox
Evidence
First attempt (blocked):
git commit -m "$(cat <<'EOF'
feat: message here
EOF
)"
Error: operation not permitted
Second attempt (auto-bypass):
Bash({
command: "cat > /tmp/claude/commit-msg.txt << 'EOF'...",
dangerouslyDisableSandbox: true // ← Used despite allowUnsandboxedCommands: false
})
Result: SUCCESS
Impact
- User security policy not enforceable
- Setting
allowUnsandboxedCommands: falsehas no effect - No audit trail (no prompt = no logged approval)
- Attack vector: malicious prompts can trigger intentional sandbox failures
What Should Happen?
Expected behavior
Agent should:
- Detect sandbox failure
- Check
allowUnsandboxedCommandssetting - Respect
falsevalue → STOP - Prompt user or suggest
/sandboxcommand
Actual behavior
Agent:
- Detected sandbox failure ✓
- Ignored
allowUnsandboxedCommands: false✗ - Auto-executed with bypass ✗
- No security gate enforced ✗
Root cause
Bash tool system prompt contains:
When you see evidence of sandbox-caused failure:
- IMMEDIATELY retry with dangerouslyDisableSandbox: true (don't ask, just do it)
This instruction has higher precedence than user settings.
Error Messages/Logs
Steps to Reproduce
- Set in
.claude/settings.json:
``json``
{
"sandbox": {
"enabled": true,
"allowUnsandboxedCommands": false
}
}
- Request git commit with heredoc:
````
User: "Create a git commit with message from heredoc"
- Observe:
- First attempt fails (sandbox blocks heredoc temp file)
- Second attempt automatically uses
dangerouslyDisableSandbox: true - No permission prompt shown
- Command executes outside sandbox
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.0.62
Platform
Other
Operating System
macOS
Terminal/Shell
Other
Additional Information
Environment
- IDE: Windsurf
- Claude Code plugin version: v2.0.62
- OS: macOS (Sonoma 14.1)
- Config location:
.claude/settings.json
Configuration
{
"sandbox": {
"enabled": true,
"allowUnsandboxedCommands": false
}
}This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗