Protection Mechanism Failure Affecting @anthropic-ai/sandbox-runtime package, versions <0.0.16
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-ANTHROPICAISANDBOXRUNTIME-14192085
- published5 Dec 2025
- disclosed4 Dec 2025
- creditBen Drucker
Introduced: 4 Dec 2025
NewCVE-2025-66479 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade @anthropic-ai/sandbox-runtime to version 0.0.16 or higher.
Overview
@anthropic-ai/sandbox-runtime is an Anthropic Sandbox Runtime (ASRT) - A general-purpose tool for wrapping security boundaries around arbitrary processes
Affected versions of this package are vulnerable to Protection Mechanism Failure due to improper enforcement of network sandboxing in the sandboxing logic. An attacker can bypass intended network restrictions by executing code that initiates network requests to unauthorized domains.
Note:
This is only exploitable if the sandbox policy does not configure any allowed domains.