Plateforme
nodejs
Composant
@enclave-vm/core
Corrigé dans
2.11.2
2.11.1
CVE-2026-27597 describes a remote code execution (RCE) vulnerability within the @enclave-vm/core Node.js module. This flaw allows attackers to bypass security boundaries and potentially execute arbitrary code. The vulnerability impacts versions prior to 2.11.1, and a fix has been released in version 2.11.1.
The core of this vulnerability lies in the ability to obtain the native Object constructor instead of the intended SafeObject wrapper. This circumvents the security sandbox implemented by @enclave-vm/core. By retrieving property descriptors via Object.getOwnPropertyDescriptors, an attacker can access properties that are normally restricted. The hostmemorytrack host object, when a memory limit is set (the default configuration), provides a further avenue for escaping the sandbox and achieving code execution. Successful exploitation could allow an attacker to compromise the entire Node.js process and potentially gain control of the underlying system.
This vulnerability was publicly disclosed on 2026-02-25. There is currently no indication of active exploitation in the wild, but the CRITICAL severity and the potential for RCE warrant immediate attention. The availability of a fix (version 2.11.1) significantly reduces the risk. No KEV listing or EPSS score is currently available.
Applications utilizing the @enclave-vm/core Node.js module, particularly those relying on its security sandbox for sensitive operations, are at risk. This includes applications handling untrusted data or performing operations with elevated privileges. Developers using older versions of the module and those with default configurations (memory limits enabled) are particularly vulnerable.
• nodejs / module:
npm list @enclave-vm/core• nodejs / module: Check for versions prior to 2.11.1.
• nodejs / module: Examine application code for usage of Object.getOwnPropertyDescriptors within the context of @enclave-vm/core.
disclosure
Statut de l'Exploit
EPSS
0.50% (percentile 66%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-27597 is to immediately upgrade the @enclave-vm/core module to version 2.11.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling memory limits within the module's configuration, although this significantly reduces the security posture. While not a complete solution, implementing strict input validation and sanitization on any data passed to the module can help reduce the attack surface. Monitor system logs for unusual activity related to @enclave-vm/core and investigate any suspicious patterns.
Actualice el paquete `@enclave-vm/core` a la versión 2.11.1 o superior. Esto solucionará la vulnerabilidad de escape de sandbox y prevendrá la posible ejecución remota de código. Ejecute `npm install @enclave-vm/core@latest` para actualizar.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-27597 is a critical remote code execution vulnerability in the @enclave-vm/core Node.js module, allowing attackers to bypass security boundaries and potentially execute arbitrary code.
You are affected if you are using @enclave-vm/core versions prior to 2.11.1. Check your project dependencies immediately.
Upgrade to version 2.11.1 or later. If immediate upgrade is not possible, consider temporarily disabling memory limits, but understand the security implications.
There is currently no indication of active exploitation, but the CRITICAL severity warrants immediate action.
Refer to the project's repository or official documentation for the advisory related to CVE-2026-27597.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.