Anthropic Claude SDK for Python Sandbox Escape Vulnerability via Symlink Manipulation

A vulnerability in the Claude SDK for Python, specifically in versions 0.86.0 prior to 0.87.0, allows for sandbox escape by manipulating symlinks. The issue arises in the asynchronous local filesystem memory tool, which incorrectly handled path validation. While the tool validated that model-supplied paths were within the sandboxed memory directory, it then returned the unresolved path for subsequent file operations. This flaw created a time-of-check-to-time-of-use (TOCTOU) race condition. A local attacker with write access to the memory directory could exploit this by retargeting a symlink between the validation and the actual file operation, causing reads or writes to escape the sandbox. The synchronous memory tool was not affected by this vulnerability.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the local filesystem, allowing reads or writes to escape the sandboxed environment.

Reproduction

To reproduce this vulnerability, first create a symlink in the memory directory that points to a legitimate directory containing a file. The symlink will pass the validation check because it appears to be within the allowed directory. However, before performing a file operation, swap the symlink to point to a different location outside the sandbox. When the file operation is executed, it will follow the new symlink target, bypassing the sandbox restrictions and accessing the specified file or directory.

Remediation

Users are advised to update the Anthropic Claude SDK for Python to version 0.87.0 or later, where this vulnerability has been patched.