Description
Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as process.env, filesystem, and network. This breaks enclave-vm’s core security guarantee of isolating untrusted code. This vulnerability is fixed in 2.7.0.
Published: 2026-01-13
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Code Execution in Host Runtime
Action: Apply Patch
AI Analysis

Impact

A flaw in the enclave-vm sandbox permits untrusted JavaScript to break out of the isolation boundary and execute arbitrary code within the Node.js host process. The vulnerability arises when host‑side errors are exposed to the sandbox, allowing prototype chain traversal to reach the host Function constructor. An attacker can trigger such an error, climb the prototype chain, and compile code that runs with the privileges of the host. This bypasses all security guarantees, letting an attacker read environment variables, access the filesystem, and initiate network communication. The weakness is related to improper error handling (CWE‑693) and code injection (CWE‑94).

Affected Systems

Agentfront Enclave (enclave-vm) versions earlier than 2.7.0 are affected, regardless of the Node.js major version. Any deployment that uses these older enclave components exposes the host runtime to unauthorized code execution.

Risk and Exploitability

The severity is high, reflected by a CVSS score of 10. The EPSS score is below 1 %, indicating that exploitation is expected to be rare, and the vulnerability is not currently listed in CISA’s Known Exploited Vulnerabilities catalog. The attack vector requires that an adversary supply sandboxed JavaScript that intentionally causes a host error, which can be performed within any context that evaluates untrusted code using enclave-vm. Attackers with code execution capabilities inside the sandbox can leverage the prototype chain traversal to gain host‑level access.

Generated by OpenCVE AI on April 18, 2026 at 16:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to enclave‑vm version 2.7.0 or later to eliminate the prototype chain escape path.
  • Replace or remove any legacy enclave modules that remain in the deployment before upgrading.
  • Run enclave‑vm in a dedicated low‑privilege process or container to limit potential host impact.

Generated by OpenCVE AI on April 18, 2026 at 16:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7qm7-455j-5p63 enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain
History

Tue, 24 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:agentfront:enclave:*:*:*:*:*:node.js:*:*

Wed, 14 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Agentfront
Agentfront enclave
Vendors & Products Agentfront
Agentfront enclave

Tue, 13 Jan 2026 23:30:00 +0000

Type Values Removed Values Added
Description Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as process.env, filesystem, and network. This breaks enclave-vm’s core security guarantee of isolating untrusted code. This vulnerability is fixed in 2.7.0.
Title Sandbox Escape via Host Error Prototype Chain in enclave-vm
Weaknesses CWE-693
CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Agentfront Enclave
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-14T14:33:18.579Z

Reserved: 2026-01-08T19:23:09.854Z

Link: CVE-2026-22686

cve-icon Vulnrichment

Updated: 2026-01-14T14:33:09.645Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-14T00:15:49.957

Modified: 2026-02-24T19:23:05.580

Link: CVE-2026-22686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses