Enclave Sandbox Escape Vulnerability via Dynamic Property Access and Error Object Manipulation

A vulnerability in the Enclave JavaScript sandbox, specifically in version 2.7.0 prior to 2.10.1, allows for unauthorized access to host references, leading to potential sandbox escape. This issue arises from inadequate security measures, where dynamic property accesses can bypass Abstract Syntax Tree (AST) sanitization, and the error object hardening fails to address the unique behaviors of the vm module. Exploitation can be achieved by leveraging these weaknesses to traverse prototype chains and access privileged operations, such as Node.js' require function, which can execute arbitrary code or commands on the host system.

Impact

Exploitation of this vulnerability allows for complete escape from the Enclave sandbox, with access to the host environment and the ability to execute arbitrary code or commands. This could lead to significant security breaches, especially in the context of FrontMCP, AgentFront, and other Frontegg products, where such an escape could be exploited for malicious purposes.

Reproduction

The vulnerability can be reproduced by creating an Enclave instance with a tool handler that simulates tool execution. Then, AgentScript code can be executed that triggers an infinite recursion, causing a stack overflow error. This error can be caught and used to access the prototype chain, ultimately reaching the Function constructor of the host environment. Once the reference to the Function constructor is obtained, it can be used to execute arbitrary code in the host context, such as accessing the file system.

Remediation

Users are advised to update to Enclave version 2.10.1, where this vulnerability has been fixed.