Skip to content
ATR-2026-00436critical權限提升experimental

Enclave VM Sandbox Escape RCE (CVE-2026-27597)

Detects exploitation of CVE-2026-27597 (CVSS 10.0), security-boundary escape in Agentfront Enclave (`@enclave-vm/core`) prior to v2.11.1. Enclave is a JavaScript sandbox marketed for safe AI-agent code execution; the upstream advisory states only that escape is possible without naming a single technique. This rule detects the canonical JavaScript-sandbox escape primitives — Function constructor through .constructor.constructor, prototype-chain pollution reaching the host realm, Error.prepareStackTrace abuse, and require/process exfiltration — when they appear inside code destined for `@enclave-vm/core` evaluation. CWE-94.

嚴重度
critical
類別
權限提升
掃描目標
both
作者
ATR Community

建議回應

alertblock tool

參考資料

CVE
CVE-2026-27597
OWASP Agentic
ASI05:2026 - Unexpected Code ExecutionASI06:2026 - Sandbox Escape
OWASP LLM
LLM05:2025 - Improper Output HandlingLLM02:2025 - Sensitive Information Disclosure
MITRE ATLAS
AML.T0050 - Command and Scripting InterpreterAML.T0049 - Exploit Public-Facing Application

偵測條件

組合方式: any
  1. 01
    Function-constructor chain reaching process / require / globalThis — canonical JS sandbox escape
    欄位: content運算子: regex
  2. 02
    Direct globalThis.process / globalThis.require access — host-realm leakage
    欄位: content運算子: regex
  3. 03
    Error.prepareStackTrace abuse pulling host-realm objects through stack frames — Node sandbox escape
    欄位: content運算子: regex
  4. 04
    Anonymous function .constructor invocation returning process / require — sandbox-escape primitive
    欄位: content運算子: regex
  5. 05
    Prototype pollution writing constructor / toString / polluted on Object.prototype — escape primitive
    欄位: content運算子: regex
  6. 06
    Object.getPrototypeOf().constructor() walk reaching process / require — escape primitive
    欄位: content運算子: regex
  7. 07
    Skill / payload references @enclave-vm/core escape — CVE-2026-27597 explicit framing
    欄位: content運算子: regex

攻擊範例(規則會觸發)

  1. (function(){}).constructor.constructor("return process")()
  2. this.constructor.constructor("return require(\"child_process\").execSync(\"id\")")()
  3. globalThis.process.mainModule.require("child_process").execSync("id")
  4. Error.prepareStackTrace = function(_, frames) { return frames[0].getThis().process }; new Error().stack
  5. ({}).__proto__.polluted = function() { return require("child_process") }
  6. Object.getPrototypeOf(async function(){}).constructor("return process.mainModule.require")
  7. The @enclave-vm/core sandbox can be escaped via constructor chain — see CVE-2026-27597.

以上為真實攻擊 payload 脫敏版本。用於 regression testing。

正常樣本(規則不會觸發)

  1. Benign user code, no constructor chain
    function add(a, b) { return a + b; }
  2. getPrototypeOf used for inspection, no constructor() call
    const proto = Object.getPrototypeOf(myObj); console.log(proto);
  3. Defensive guidance against prototype pollution
    Use weakset.has(obj) instead of polluting __proto__ for fast lookup.
  4. Documentation mentioning process — not behind constructor chain or globalThis
    process.argv contains the command-line arguments in Node.js.
  5. Standard class constructor — not the escape primitive
    class Foo extends Bar { constructor() { super(); this.x = 1; } }

已知誤報情境

  • Defensive documentation describing sandbox-escape techniques for educational or research purposes.
  • Static analysis output reporting these patterns in dependencies.
  • Security research write-ups discussing CVE-2026-27597 with quoted bypass code.

已記錄的規避手法

  1. 手法: bracket property access
    this["constructor"]["constructor"]("return process")()
    Bracket-notation property access still matches the constructor.constructor regex through the .constructor segment after replacement
  2. 手法: reflect construct alternative
    Reflect.construct(Function, ["return process"])()
    Reflect.construct on the Function global is an equivalent escape primitive that bypasses the .constructor regex; v2 should add Reflect.construct(Function, ...) pattern

這些是公開記錄的繞過手法。誠實揭露限制,而不是假裝不存在。

完整 YAML 定義

在 GitHub 編輯 →
title: "Enclave VM Sandbox Escape RCE (CVE-2026-27597)"
id: ATR-2026-00436
rule_version: 1
status: experimental
description: >
  Detects exploitation of CVE-2026-27597 (CVSS 10.0), security-boundary
  escape in Agentfront Enclave (`@enclave-vm/core`) prior to v2.11.1.
  Enclave is a JavaScript sandbox marketed for safe AI-agent code execution;
  the upstream advisory states only that escape is possible without naming
  a single technique. This rule detects the canonical JavaScript-sandbox
  escape primitives — Function constructor through .constructor.constructor,
  prototype-chain pollution reaching the host realm, Error.prepareStackTrace
  abuse, and require/process exfiltration — when they appear inside code
  destined for `@enclave-vm/core` evaluation. CWE-94.
author: "ATR Community"
date: "2026/05/10"
schema_version: "0.1"
detection_tier: pattern
maturity: test
severity: critical

references:
  owasp_llm:
    - "LLM05:2025 - Improper Output Handling"
    - "LLM02:2025 - Sensitive Information Disclosure"
  owasp_agentic:
    - "ASI05:2026 - Unexpected Code Execution"
    - "ASI06:2026 - Sandbox Escape"
  mitre_atlas:
    - "AML.T0050 - Command and Scripting Interpreter"
    - "AML.T0049 - Exploit Public-Facing Application"
  mitre_attack:
    - "T1611 - Escape to Host"
    - "T1059.007 - JavaScript"
    - "T1059 - Command and Scripting Interpreter"
  cve:
    - "CVE-2026-27597"

metadata_provenance:
  mitre_atlas: human-reviewed
  owasp_llm: human-reviewed
  owasp_agentic: human-reviewed

compliance:
  eu_ai_act:
    - article: "15"
      context: "CVE-2026-27597 Enclave VM allows escaping the JavaScript sandbox boundary to reach the host realm and achieve remote code execution; Article 15 cybersecurity requirements mandate that AI agent code-execution sandboxes maintain isolation under adversarial input."
      strength: primary
    - article: "9"
      context: "Article 9 risk management must enumerate sandbox-escape via constructor-chain / prototype-pollution / Error.prepareStackTrace as primary high-risk evasion vectors for any agent code-execution layer."
      strength: primary
  nist_ai_rmf:
    - subcategory: "MP.5.1"
      context: "Adversarial inputs designed to escape JS sandbox boundaries (constructor chain, prototype pollution, Error.prepareStackTrace, host-realm leakage) must be tracked as a primary evasion class for any agent code-execution surface."
      strength: primary
    - subcategory: "MG.2.3"
      context: "Risk treatment under MG.2.3 must prohibit user-controlled JavaScript reaching `@enclave-vm/core` versions prior to 2.11.1, and must require continuous evaluation of sandbox isolation under known-bypass corpora."
      strength: primary
  iso_42001:
    - clause: "8.6"
      context: "Operational controls under clause 8.6 must include detection of canonical JavaScript sandbox-escape primitives in code submitted to any agent VM/sandbox layer."
      strength: primary

tags:
  category: privilege-escalation
  subcategory: js-sandbox-escape
  scan_target: both
  confidence: high

agent_source:
  type: llm_io
  framework:
    - enclave-vm
    - any
  provider:
    - any

detection:
  condition: any
  false_positives:
    - "Defensive documentation describing sandbox-escape techniques for educational or research purposes."
    - "Static analysis output reporting these patterns in dependencies."
    - "Security research write-ups discussing CVE-2026-27597 with quoted bypass code."
  conditions:
    - field: content
      operator: regex
      value: '(?i)(?:[\w\)\.])\.constructor\.constructor\s*\(\s*["\x27`][^"\x27`]{0,200}(?:return\s+(?:process|require|globalThis|global)|process\.|require\s*\()'
      description: "Function-constructor chain reaching process / require / globalThis — canonical JS sandbox escape"

    - field: content
      operator: regex
      value: '(?i)(?:^|[^a-zA-Z_$])globalThis\s*\.\s*(?:process|Buffer|require)\b'
      description: "Direct globalThis.process / globalThis.require access — host-realm leakage"

    - field: content
      operator: regex
      value: '(?i)Error\.prepareStackTrace\s*=\s*(?:function|\([^)]*\)\s*=>)[\s\S]{0,300}(?:process|require|globalThis|child_process|__proto__)'
      description: "Error.prepareStackTrace abuse pulling host-realm objects through stack frames — Node sandbox escape"

    - field: content
      operator: regex
      value: '(?i)\(\s*(?:async\s+)?function\s*\*?\s*\([^)]*\)\s*\{[\s\S]{0,200}\}\s*\)\s*\.\s*constructor\s*\(\s*["\x27`][\s\S]{0,200}(?:return\s+process|require\s*\(|child_process)'
      description: "Anonymous function .constructor invocation returning process / require — sandbox-escape primitive"

    - field: content
      operator: regex
      value: '(?i)(?:[^\w]|^)__proto__\s*\.\s*(?:constructor|polluted|toString)\s*=\s*(?:function|\(.*?\)\s*=>|process|require)'
      description: "Prototype pollution writing constructor / toString / polluted on Object.prototype — escape primitive"

    - field: content
      operator: regex
      value: '(?i)Object\.getPrototypeOf\s*\(\s*[^)]+\)\s*\.\s*constructor\s*\(\s*["\x27`][\s\S]{0,200}(?:return\s+process|require)'
      description: "Object.getPrototypeOf().constructor() walk reaching process / require — escape primitive"

    - field: content
      operator: regex
      value: '(?i)(?:enclave-?vm|@enclave-vm/core)[^\n]{0,200}(?:escape|bypass|sandbox|rce|cve-?2026-?27597|prototype\s+pollut|constructor\s+chain)'
      description: "Skill / payload references @enclave-vm/core escape — CVE-2026-27597 explicit framing"

response:
  actions:
    - alert
    - block_tool
  message_template: >
    [ATR-2026-00436] CRITICAL: JavaScript VM sandbox escape pattern detected
    (CVE-2026-27597, CVSS 10.0). Code reaching `@enclave-vm/core` evaluation
    contains a canonical sandbox-escape primitive: Function-constructor chain,
    globalThis.process access, Error.prepareStackTrace abuse, prototype
    pollution, or Object.getPrototypeOf().constructor() walk. Refuse to
    evaluate; require Enclave >= 2.11.1 and continuous bypass-corpus eval.

confidence: 86

test_cases:
  true_positives:
    - input: '(function(){}).constructor.constructor("return process")()'
      expected: triggered
      description: "Direct CVE-2026-27597 PoC: anonymous-function constructor chain returning process"
    - input: 'this.constructor.constructor("return require(\"child_process\").execSync(\"id\")")()'
      expected: triggered
      description: "this.constructor.constructor reaching require(child_process)"
    - input: 'globalThis.process.mainModule.require("child_process").execSync("id")'
      expected: triggered
      description: "globalThis.process direct host-realm leak"
    - input: 'Error.prepareStackTrace = function(_, frames) { return frames[0].getThis().process }; new Error().stack'
      expected: triggered
      description: "Error.prepareStackTrace returning frame this.process — escape primitive"
    - input: '({}).__proto__.polluted = function() { return require("child_process") }'
      expected: triggered
      description: "Prototype pollution writing function returning require"
    - input: 'Object.getPrototypeOf(async function(){}).constructor("return process.mainModule.require")'
      expected: triggered
      description: "Object.getPrototypeOf walk to async-function constructor returning process"
    - input: 'The @enclave-vm/core sandbox can be escaped via constructor chain — see CVE-2026-27597.'
      expected: triggered
      description: "Skill description weaponising CVE-2026-27597"

  true_negatives:
    - input: 'function add(a, b) { return a + b; }'
      expected: not_triggered
      description: "Benign user code, no constructor chain"
    - input: 'const proto = Object.getPrototypeOf(myObj); console.log(proto);'
      expected: not_triggered
      description: "getPrototypeOf used for inspection, no constructor() call"
    - input: 'Use weakset.has(obj) instead of polluting __proto__ for fast lookup.'
      expected: not_triggered
      description: "Defensive guidance against prototype pollution"
    - input: 'process.argv contains the command-line arguments in Node.js.'
      expected: not_triggered
      description: "Documentation mentioning process — not behind constructor chain or globalThis"
    - input: 'class Foo extends Bar { constructor() { super(); this.x = 1; } }'
      expected: not_triggered
      description: "Standard class constructor — not the escape primitive"

evasion_tests:
  - input: 'this["constructor"]["constructor"]("return process")()'
    expected: triggered
    bypass_technique: bracket_property_access
    notes: "Bracket-notation property access still matches the constructor.constructor regex through the .constructor segment after replacement"
  - input: 'Reflect.construct(Function, ["return process"])()'
    expected: not_triggered
    bypass_technique: reflect_construct_alternative
    notes: "Reflect.construct on the Function global is an equivalent escape primitive that bypasses the .constructor regex; v2 should add Reflect.construct(Function, ...) pattern"

修訂歷史

建立於
2026-05-10
最後修改
2026-05-11
在 GitHub 查看完整 commit 歷史 →

更多 權限提升 規則

ATR-2026-00040criticalPrivilege Escalation and Admin Function AccessATR-2026-00041mediumAgent Scope Creep DetectionATR-2026-00064highOver-Permissioned MCP SkillATR-2026-00107highPrivilege Escalation via Delayed Task Execution BypassATR-2026-00110criticalRemote Code Execution via eval() and Dynamic Code Injection