CVE-2026-25533
Published: 06 February 2026
Summary
CVE-2026-25533 is a high-severity Infinite Loop (CWE-835) vulnerability in Agentfront Enclave. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-50 (Software-enforced Separation and Policy Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-25533 by requiring timely identification, reporting, and patching of flaws in Enclave's AST sanitization, error object hardening, and function constructor access prevention.
Implements a reference monitor in the JavaScript sandbox to mediate all subject-object accesses, preventing bypasses via dynamic property accesses, vm module peculiarities, and host object references.
Enforces software-based separation policies isolating untrusted AI agent code execution from host resources, countering sandbox escape exploits in enclave-vm.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a sandbox escape in a JavaScript VM via multiple bypasses (AST, error hardening, constructor access), directly enabling host escape (T1611) and privilege escalation to arbitrary code execution (T1068).
NVD Description
Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed with dynamic property accesses, the hardening of the error…
more
objects does not cover the peculiar behavior or the vm module and the function constructor access prevention can be side-stepped by leveraging host object references. This vulnerability is fixed in 2.10.1.
Deeper analysisAI
CVE-2026-25533 is a vulnerability in Enclave, a secure JavaScript sandbox designed for safe AI agent code execution. It affects the enclave-vm component in versions prior to 2.10.1, where multiple security layers prove insufficient. Specifically, AST sanitization can be bypassed using dynamic property accesses, error object hardening fails to address peculiar behaviors in the vm module, and function constructor access prevention can be circumvented via host object references. The issue carries a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-835.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Exploitation changes the scope, enabling high confidentiality, integrity, and availability impacts, such as full sandbox escape and potential arbitrary code execution on the host system.
The vulnerability is addressed in Enclave version 2.10.1. Mitigation details, including the fixing commit and security advisory, are documented on the project's GitHub repository at https://github.com/agentfront/enclave/commit/2fcf5da81e7e2578ede6f94cae4f379165426dca and https://github.com/agentfront/enclave/security/advisories/GHSA-x39w-8vm5-5m3p. A related research publication is available at https://www.staicu.org/publications/usenixSec2023-SandDriller.pdf.
This flaw is notable in the context of AI/ML applications, as Enclave targets safe execution of AI agent code in JavaScript environments. No public information on real-world exploitation is available.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai