Node.js Module @enclave-vm/core < 2.11.0 RCE

The version of the @enclave-vm/core Node.js module installed on the remote host is prior to 2.11.0. It is, therefore, affected by a remote code execution vulnerability: - It is possible to escape the security boundaries of the sandbox, which can be used to achieve remote code execution...

@enclave-vm/core is vulnerable to Sandbox Escape

Summary It is possible to escape the security boundraries set by @enclave-vm/core, which can be used to achieve remote code execution RCE. The issue has been fixed in version 2.11.1. --- Details It is possible to obtain the native Object constructor instead of the SafeObject wrapper. This can be...

CVE-2026-27597 @enclave-vm/core is vulnerable to Sandbox Escape

Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, it is possible to escape the security boundraries set by @enclave-vm/core, which can be used to achieve remote code execution RCE. The issue has been fixed in version 2.11.1...

CVE-2026-27597

Summary: CVE-2026-27597 affects Enclave’s secure JavaScript sandbox with a vulnerability in the @enclave-vm/core boundaries prior to 2.11.1, allowing an attacker to escape the sandbox and achieve remote code execution. The issue is mitigated by upgrading to version 2.11.1, where the boundary esca...

@enclave-vm/broker (>=0.0.1 <=2.10.0), @enclave-vm/runtime (>=0.0.1 <=2.10.0) potentially affected by CVE-2026-25533 via @enclave-vm/core (>=0.0.1 <=2.10.0)

@enclave-vm/core NPM version =0.0.1, =0.0.1, =0.0.1, =2.10.0 Source cves: CVE-2026-25533 Source advisory: OSV:GHSA-X39W-8VM5-5M3P...

@enclave-vm/broker (=2.10.0), @enclave-vm/runtime (=2.10.0) potentially affected by CVE-2026-25533 via @enclave-vm/core (=2.10.0)

@enclave-vm/core NPM version =2.10.0 is affected by a known vulnerability. The following packages have a transitive dependency on @enclave-vm/core and may be impacted: - @enclave-vm/broker =2.10.0 - @enclave-vm/runtime =2.10.0 Source cves: CVE-2026-25533 Source advisory:...

Infinite loop

Overview @enclave-vm/core is a Sandbox runtime for secure JavaScript code execution Affected versions of this package are vulnerable to Infinite loop via infinite recursion in the vm module. An attacker can execute arbitrary code outside the intended sandbox by crafting recursive calls that explo...

Sandbox escape via infinite recursion and error objects

Note: The npm package has moved to @enclave-vm/core formerly enclave-vm. All fixed versions and guidance refer to @enclave-vm/core. Summary The existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed with dynamic property accesses, the hardening of the err...