A critical vulnerability has been discovered in the Enclave JavaScript sandbox, which allows untrusted code, such as that from an AI agent, to break out of its isolated environment. This "sandbox escape" permits an attacker to execute arbitrary commands on the underlying host system, leading to a complete system compromise, data theft, and unauthorized access to network resources.

The vulnerability exists in how the enclave-vm handles errors. When a sandboxed tool invocation fails, the system exposes a host-level Error object directly to the sandboxed code without properly sanitizing it. An attacker can intentionally trigger such an error to gain access to this object. By traversing the object's prototype chain, the attacker can reach the host's native Function constructor, a powerful function that can compile and execute new JavaScript code. Using this, the attacker can run arbitrary code outside the sandbox, in the context of the host Node.js process, effectively gaining full control over the host machine.

This vulnerability is of critical severity with a CVSS score of 10, representing the highest possible risk. Successful exploitation leads to a complete compromise of the host system running the Enclave sandbox. Potential consequences include the theft of sensitive data such as API keys and credentials from environment variables, unauthorized access to the filesystem and internal network, deployment of ransomware or other malware, and using the compromised system to launch further attacks. For organizations using Enclave to run AI agents, this means a malicious prompt or agent code could take over the entire server, subverting the core security purpose of the sandbox.

Immediate Action: Immediately upgrade all instances of the affected Enclave products to version 2.7.0 or later. This version contains the necessary patch to prevent the host Error object from being exposed to the sandbox. After patching, review system and application logs for any signs of past exploitation attempts.

Proactive Monitoring:

• Log Analysis: Monitor application logs for an unusual volume of tool invocation failures, which could indicate an attacker attempting to trigger the vulnerability.
• Process Monitoring: Watch the Node.js process running Enclave for anomalous behavior, such as spawning unexpected child processes (e.g., shells), accessing sensitive files, or making unauthorized outbound network connections.
• Code Auditing: Where possible, audit JavaScript code intended for the sandbox for patterns that attempt to manipulate or traverse object prototypes (e.g., use of constructor, __proto__, or Object.getPrototypeOf).

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Principle of Least Privilege: Run the Node.js application using a dedicated, unprivileged user account with minimal filesystem permissions.
• Containerization: Run the application within a hardened container (e.g., distroless) with restrictive security profiles (like Seccomp and AppArmor) to limit the kernel-level calls an escaped process can make.
• Network Segmentation: Use firewalls to strictly limit outbound network connections from the host, preventing an attacker from exfiltrating data or establishing a connection to a command-and-control server.

Public Exploit Available: false

Given the critical CVSS score of 10 and the potential for complete system compromise, this vulnerability requires immediate attention. We strongly recommend that all affected systems are patched to version 2.7.0 or later without delay. Prioritize patching for internet-facing systems or any systems that process untrusted code from third-party sources. Although this vulnerability is not currently listed on the CISA KEV list, its severity warrants treating it with the same level of urgency as a known exploited vulnerability.