JavaScript Sandbox Vulnerability in Enclave by Agentfront
CVE-2026-25533

6.4MEDIUM

Key Information:

Vendor

Agentfront

Status
Enclave
Vendor
CVE Published:
6 February 2026

What is CVE-2026-25533?

Prior to version 2.10.1, Enclave, a secure JavaScript sandbox by Agentfront, exhibited several security weaknesses. These weaknesses included the ability to bypass Abstract Syntax Tree (AST) sanitization through dynamic property accesses. Additionally, the hardening of error object handling failed to address specific functionalities of the vm module, allowing for unauthorized access. Furthermore, restrictions on the function constructor were ineffectively applied, as they could be circumvented via host object references. Version 2.10.1 addresses these critical security concerns with improved protections.

Affected Version(s)

enclave < 2.10.1

References

https://github.com/agentfront/enclave/security/advisories...
x_refsource_CONFIRM
https://github.com/agentfront/enclave/commit/2fcf5da81e7e...
x_refsource_MISC
https://www.staicu.org/publications/usenixSec2023-SandDri...
x_refsource_MISC

CVSS V4

Score:
6.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.