CVE-2026-27597
Sandbox Escape Vulnerability in Enclave @enclave-vm/core Enables RCE
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| agentfront | enclave | to 2.11.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27597 is a critical security vulnerability in the npm package `@enclave-vm/core`, a secure JavaScript sandbox used for safe AI agent code execution. Prior to version 2.11.1, attackers could escape the sandbox's security boundaries by exploiting improper isolation of intrinsic objects and unsafe access to constructors."}, {'type': 'paragraph', 'content': "This escape allows attackers to obtain the native JavaScript Object constructor instead of the sandbox's SafeObject wrapper, enabling them to access restricted properties and ultimately execute arbitrary code on the host system remotely (remote code execution or RCE)."}, {'type': 'paragraph', 'content': "The vulnerability involves bypassing sandbox protections through techniques such as leveraging the host object `__host_memory_track__` when memory limits are set, or exploiting Node.js's `nodejs.util.inspect.custom` symbol when no memory limit is set. These methods allow attackers to run system commands outside the sandbox."}, {'type': 'paragraph', 'content': 'The issue was fixed in version 2.11.1 by strengthening intrinsic object isolation, improving console isolation, hardening host callback exposure paths, closing AST validation gaps, and adding defensive checks around constructor access and prototype traversal.'}] [2, 1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have severe impacts because it allows untrusted code running inside an Enclave instance to fully escape the sandbox environment and execute arbitrary commands on the host system remotely.'}, {'type': 'paragraph', 'content': "Such remote code execution (RCE) can lead to complete compromise of the host system's confidentiality, integrity, and availability."}, {'type': 'list_item', 'content': 'Attackers can run arbitrary system commands, potentially gaining full control over the host.'}, {'type': 'list_item', 'content': 'Sensitive data on the host system can be exposed or altered.'}, {'type': 'list_item', 'content': 'System stability and availability can be disrupted by malicious actions.'}, {'type': 'paragraph', 'content': 'Because the vulnerability requires no privileges or user interaction and has a network attack vector with low complexity, it poses a critical risk to any system using vulnerable versions of the package.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves analyzing JavaScript code for disallowed identifiers that can lead to sandbox escape, particularly in object coercion scenarios.'}, {'type': 'paragraph', 'content': 'A validation framework using a DisallowedIdentifierRule and a JSAstValidator can be employed to scan JavaScript Abstract Syntax Trees (ASTs) for unsafe usage of identifiers such as "constructor", "__proto__", and "prototype".'}, {'type': 'paragraph', 'content': 'Tests include checking for disallowed identifiers returned by toString or valueOf methods in objects, as well as their use in computed property keys, template literals, conditional expressions, and other complex JavaScript expressions.'}, {'type': 'paragraph', 'content': 'While no specific network or system commands are provided, detection requires static code analysis tools or custom scripts that parse JavaScript ASTs to identify these patterns.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to upgrade the affected npm package `@enclave-vm/core` to version 2.11.1 or later, where the vulnerability has been fixed.
The fix includes strengthened intrinsic object isolation, improved console isolation, hardened host callback exposure paths, closed AST validation gaps, and additional defensive checks around constructor access and prototype traversal.
Until the upgrade can be applied, avoid running untrusted code inside Enclave instances, as the vulnerability allows remote code execution and full sandbox escape.