CRITICALCVE-2026-27597CVSS 10

CVE-2026-27597: RCE in @enclave-vm/core Node.js Module

Q: What is CVE-2026-27597 — RCE in @enclave-vm/core?

CVE-2026-27597 is a critical remote code execution vulnerability in the @enclave-vm/core Node.js module, allowing attackers to bypass security boundaries and potentially execute arbitrary code.

Q: Am I affected by CVE-2026-27597 in @enclave-vm/core?

You are affected if you are using @enclave-vm/core versions prior to 2.11.1. Check your project dependencies immediately.

Q: How do I fix CVE-2026-27597 in @enclave-vm/core?

Upgrade to version 2.11.1 or later. If immediate upgrade is not possible, consider temporarily disabling memory limits, but understand the security implications.

Q: Is CVE-2026-27597 being actively exploited?

There is currently no indication of active exploitation, but the CRITICAL severity warrants immediate action.

Q: Where can I find the official @enclave-vm/core advisory for CVE-2026-27597?

Refer to the project's repository or official documentation for the advisory related to CVE-2026-27597.

Platform

nodejs

Component

@enclave-vm/core

Fixed in

2.11.2

2.11.1

AI Confidence: highNVDEPSS 0.5%Reviewed: May 2026

View on NVD

Save

CVE-2026-27597 describes a remote code execution (RCE) vulnerability within the @enclave-vm/core Node.js module. This flaw allows attackers to bypass security boundaries and potentially execute arbitrary code. The vulnerability impacts versions prior to 2.11.1, and a fix has been released in version 2.11.1.

Impact and Attack Scenarios

The core of this vulnerability lies in the ability to obtain the native Object constructor instead of the intended SafeObject wrapper. This circumvents the security sandbox implemented by @enclave-vm/core. By retrieving property descriptors via Object.getOwnPropertyDescriptors, an attacker can access properties that are normally restricted. The hostmemorytrack host object, when a memory limit is set (the default configuration), provides a further avenue for escaping the sandbox and achieving code execution. Successful exploitation could allow an attacker to compromise the entire Node.js process and potentially gain control of the underlying system.

Exploitation Context

This vulnerability was publicly disclosed on 2026-02-25. There is currently no indication of active exploitation in the wild, but the CRITICAL severity and the potential for RCE warrant immediate attention. The availability of a fix (version 2.11.1) significantly reduces the risk. No KEV listing or EPSS score is currently available.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports7 threat reports

EPSS

0.50% (66% percentile)

CISA SSVC

Exploitationpoc

Automatableyes

Technical Impacttotal

CVSS Vector

Affected Software

Component@enclave-vm/core

Vendorosv

Affected rangeFixed in

< 2.11.1 – < 2.11.12.11.2

—2.11.1

Weakness Classification (CWE)

CWE-94

Timeline

Reserved2026-02-20
Published2026-02-25
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2026-27597 is to immediately upgrade the @enclave-vm/core module to version 2.11.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling memory limits within the module's configuration, although this significantly reduces the security posture. While not a complete solution, implementing strict input validation and sanitization on any data passed to the module can help reduce the attack surface. Monitor system logs for unusual activity related to @enclave-vm/core and investigate any suspicious patterns.

How to fix

Actualice el paquete `@enclave-vm/core` a la versión 2.11.1 o superior. Esto solucionará la vulnerabilidad de escape de sandbox y prevendrá la posible ejecución remota de código. Ejecute `npm install @enclave-vm/core@latest` para actualizar.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-27597 — RCE in @enclave-vm/core?

CVE-2026-27597 is a critical remote code execution vulnerability in the @enclave-vm/core Node.js module, allowing attackers to bypass security boundaries and potentially execute arbitrary code.

Am I affected by CVE-2026-27597 in @enclave-vm/core?

You are affected if you are using @enclave-vm/core versions prior to 2.11.1. Check your project dependencies immediately.

How do I fix CVE-2026-27597 in @enclave-vm/core?

Upgrade to version 2.11.1 or later. If immediate upgrade is not possible, consider temporarily disabling memory limits, but understand the security implications.

Is CVE-2026-27597 being actively exploited?

There is currently no indication of active exploitation, but the CRITICAL severity warrants immediate action.

Where can I find the official @enclave-vm/core advisory for CVE-2026-27597?

Refer to the project's repository or official documentation for the advisory related to CVE-2026-27597.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.