Description
Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed with dynamic property accesses, the hardening of the error objects does not cover the peculiar behavior or the vm module and the function constructor access prevention can be side-stepped by leveraging host object references. This vulnerability is fixed in 2.10.1.
Published: 2026-02-06
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential arbitrary code execution through sandbox escape
Action: Immediate Patch
AI Analysis

Impact

The flaw originates from multiple weaknesses in Enclave’s security mechanisms. AST sanitization can be bypassed with dynamic property access, the hardening of error objects does not cover special behavior in the vm module, and the Function constructor restriction is circumvented via host object references. These combined weaknesses enable an attacker to escape the sandbox and execute arbitrary code, compromising the host process’s confidentiality and integrity.

Affected Systems

The vulnerability affects Agentfront Enclave versions prior to 2.10.1. Users of 2.9.x and earlier are vulnerable.

Risk and Exploitability

The CVSS score of 6.4 indicates medium severity. EPSS is below 1%, suggesting a low probability of exploitation at this time. The issue is not listed in CISA’s KEV catalog. Attack is likely to occur when a malicious or compromised agent is executed within the sandbox; the attacker requires control over the agent code to exploit the bypasses.

Generated by OpenCVE AI on April 17, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Enclave to version 2.10.1 or later.
  • If an upgrade is not currently possible, restrict agent code to static-only AST usage and avoid dynamic property accesses.
  • Consider disabling the host environment’s vm module or isolate it from the sandbox to prevent the Function constructor from being exploited.

Generated by OpenCVE AI on April 17, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x39w-8vm5-5m3p Sandbox escape via infinite recursion and error objects
History

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:agentfront:enclave:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Agentfront
Agentfront enclave
Vendors & Products Agentfront
Agentfront enclave

Fri, 06 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed with dynamic property accesses, the hardening of the error objects does not cover the peculiar behavior or the vm module and the function constructor access prevention can be side-stepped by leveraging host object references. This vulnerability is fixed in 2.10.1.
Title Enclave has a sandbox escape via infinite recursion and error objects
Weaknesses CWE-835
References
Metrics cvssV4_0

{'score': 6.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Agentfront Enclave
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-09T15:27:09.399Z

Reserved: 2026-02-02T19:59:47.373Z

Link: CVE-2026-25533

cve-icon Vulnrichment

Updated: 2026-02-09T15:19:20.309Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T22:16:11.450

Modified: 2026-02-20T21:06:58.490

Link: CVE-2026-25533

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses