Cyber Resilience

CVE-2026-25533

MediumPublic PoC

Published: 06 February 2026

Published
06 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 6.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0023 13.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-25533 is a medium-severity Infinite Loop (CWE-835) vulnerability in Agentfront Enclave. Its CVSS base score is 6.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-50 (Software-enforced Separation and Policy Enforcement).

Deeper analysis

CVE-2026-25533 is a vulnerability in Enclave, a secure JavaScript sandbox designed for safe AI agent code execution. It affects the enclave-vm component in versions prior to 2.10.1, where multiple security layers prove insufficient. Specifically, AST sanitization can be bypassed using dynamic property accesses, error object hardening fails to address peculiar behaviors in the vm module, and function constructor access prevention can be circumvented via host object references. The issue carries a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-835.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Exploitation changes the scope, enabling high confidentiality, integrity, and availability impacts, such as full sandbox escape and potential arbitrary code execution on the host system.

The vulnerability is addressed in Enclave version 2.10.1. Mitigation details, including the fixing commit and security advisory, are documented on the project's GitHub repository at https://github.com/agentfront/enclave/commit/2fcf5da81e7e2578ede6f94cae4f379165426dca and https://github.com/agentfront/enclave/security/advisories/GHSA-x39w-8vm5-5m3p. A related research publication is available at https://www.staicu.org/publications/usenixSec2023-SandDriller.pdf.

This flaw is notable in the context of AI/ML applications, as Enclave targets safe execution of AI agent code in JavaScript environments. No public information on real-world exploitation is available.

EU & UK References

Vulnerability details

Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed with dynamic property accesses, the hardening of the error…

more

objects does not cover the peculiar behavior or the vm module and the function constructor access prevention can be side-stepped by leveraging host object references. This vulnerability is fixed in 2.10.1.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE describes a sandbox escape in a JavaScript VM via multiple bypasses (AST, error hardening, constructor access), directly enabling host escape (T1611) and privilege escalation to arbitrary code execution (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22686Same product: Agentfront Enclave
CVE-2026-27597Same product: Agentfront Enclave
CVE-2026-39885Same vendor: Agentfront
CVE-2026-33891Shared CWE-835
CVE-2026-31448Shared CWE-835
CVE-2026-21905Shared CWE-835
CVE-2026-33699Shared CWE-835
CVE-2026-23451Shared CWE-835
CVE-2026-29975Shared CWE-835
CVE-2026-42899Shared CWE-835

Affected Assets

agentfront
enclave
2.7.0 — 2.10.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-25533 by requiring timely identification, reporting, and patching of flaws in Enclave's AST sanitization, error object hardening, and function constructor access prevention.

prevent

Implements a reference monitor in the JavaScript sandbox to mediate all subject-object accesses, preventing bypasses via dynamic property accesses, vm module peculiarities, and host object references.

prevent

Enforces software-based separation policies isolating untrusted AI agent code execution from host resources, countering sandbox escape exploits in enclave-vm.

References