The Trojan Horse of Errors: Escaping Enclave-VM via Host Prototype Chains

Alon Barad

Software Engineer

Jan 14, 2026·7 min read·5 visits

PoC Available

Executive Summary (TL;DR)

If an AI agent or untrusted script running inside `enclave-vm` triggers an error in a host tool, the sandbox previously handed it a raw Host Error object. Attackers can climb this object's prototype chain (`error.__proto__.constructor.constructor`) to get a reference to the Host's `Function` constructor, enabling full Remote Code Execution (RCE) and total system compromise. Fixed in version 2.7.0.

A critical sandbox escape vulnerability in `enclave-vm` allowing malicious code to break out of the JavaScript sandbox by leveraging host-side Error objects. By traversing the prototype chain of an error returned from a failed tool call, attackers can access the host's `Function` constructor and execute arbitrary code on the underlying server.

Attack Flow Diagram

Official Patches

AgentFrontGitHub Security Advisory

NPMNPM Package Page

Fix Analysis (1)

Technical Appendix

CVSS Score

10.0/ 10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Probability

0.10%

Top 71% most exploited

Affected Systems

enclave-vm < 2.7.0Node.js applications using enclave-vm for AI sandboxingAgentic AI frameworks relying on enclave-vm for tool execution

Affected Versions Detail

Product	Affected Versions	Fixed Version
enclave-vm AgentFront	< 2.7.0	2.7.0

Attribute	Detail
CWE	CWE-693 (Protection Mechanism Failure)
CVSS v3.1	10.0 (Critical)
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector	Prototype Chain Traversal via Host Object Leak
Exploit Status	PoC Available (Vector 35)
EPSS Score	0.00102