DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-22686: The Trojan Horse of Errors: Escaping Enclave-VM via Host Prototype Chains

#security #cve #cybersecurity

The Trojan Horse of Errors: Escaping Enclave-VM via Host Prototype Chains

Vulnerability ID: CVE-2026-22686
CVSS Score: 10.0
Published: 2026-01-14

A critical sandbox escape vulnerability in enclave-vm allowing malicious code to break out of the JavaScript sandbox by leveraging host-side Error objects. By traversing the prototype chain of an error returned from a failed tool call, attackers can access the host's Function constructor and execute arbitrary code on the underlying server.

TL;DR

If an AI agent or untrusted script running inside enclave-vm triggers an error in a host tool, the sandbox previously handed it a raw Host Error object. Attackers can climb this object's prototype chain (error.__proto__.constructor.constructor) to get a reference to the Host's Function constructor, enabling full Remote Code Execution (RCE) and total system compromise. Fixed in version 2.7.0.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-693 (Protection Mechanism Failure)
  • CVSS v3.1: 10.0 (Critical)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Attack Vector: Prototype Chain Traversal via Host Object Leak
  • Exploit Status: PoC Available (Vector 35)
  • EPSS Score: 0.00102

Affected Systems

  • enclave-vm < 2.7.0
  • Node.js applications using enclave-vm for AI sandboxing
  • Agentic AI frameworks relying on enclave-vm for tool execution
  • enclave-vm: < 2.7.0 (Fixed in: 2.7.0)

Code Analysis

Commit: ed8bc43

Fix host error leakage via prototype severing and JSON bridge mode

+ Object.setPrototypeOf(error, null);
+ const SafeConstructor = Object.create(null);
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade to enclave-vm v2.7.0+
  • Enforce JSON-based serialization for all cross-realm communication
  • Sever prototype chains on any objects passed to untrusted contexts
  • Implement deep-freeze on error objects before sharing them

Remediation Steps:

  1. Run npm install enclave-vm@latest to fetch version 2.7.0.
  2. Review any custom tool bridge implementations to ensure mode: 'direct' is NOT used.
  3. If mode: 'direct' is required, manually sanitize all return values and exceptions using createSafeError logic.
  4. Restart the Node.js service to load the new library version.

References

Read the full report for CVE-2026-22686 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)