Critical sandbox escape vulnerability in enclave-vm (versions prior to 2.7.0) allows untrusted JavaScript code to execute arbitrary code in the host Node.js runtime. The vulnerability occurs when tool invocation fails and exposes a host-side Error object to sandboxed code. Attackers can traverse the Error object's prototype chain to reach the host Function constructor, enabling arbitrary JavaScript compilation and execution in the host context. This completely bypasses the sandbox security model and grants access to sensitive resources including process environment, filesystem, and network. The vulnerability has been fixed in version 2.7.0.