CVE-2026-25533

Name of the Vulnerable Software and Affected Versions enclave-vm versions prior to 2.10.1 @enclave-vm/core versions prior to 2.10.1

Description The security measures within enclave-vm are inadequate. The Abstract Syntax Tree (AST) sanitization can be circumvented using dynamic property accesses. The hardening of error objects does not fully address peculiar behavior within the vm module. Furthermore, the prevention of function constructor access can be bypassed by utilizing host object references. A bug in Node.js allows the vm module to leak host references during infinite recursion, which can be exploited to escape the sandbox. A proof of concept demonstrates the ability to execute arbitrary commands, such as reading the /etc/passwd file, by leveraging this vulnerability. This could lead to sandbox escape and potential escalations in related products like FrontMCP, AgentFront, and other Frontegg products. The exploit utilizes the [[" proto "]] property to access and modify prototype chains, ultimately leading to code execution. The vulnerable code involves a recursive function a() and manipulation of the rootProt object.

Recommendations enclave-vm versions prior to 2.10.1 should be updated to version 2.10.1 or later. @enclave-vm/core versions prior to 2.10.1 should be updated to version 2.10.1 or later.