Hoppscotch CLI: Fix for Sandbox Escape Vulnerability
CVE-2024-34347

8.4HIGH

Key Information:

Vendor

Hoppscotch

Status
Hoppscotch
Vendor
CVE Published:
8 May 2024

What is CVE-2024-34347?

The @hoppscotch/cli has a significant vulnerability in its @hoppscotch/js-sandbox component, which is designed to execute Hoppscotch Test Scripts within Continuous Integration (CI) environments. Prior to version 0.8.0, this package utilized Node.js's vm module to create a sandbox for running untrusted JavaScript. However, due to the inherent limitations of the vm module, the sandbox implementation failed to securely isolate execution contexts. By passing multiple references to external objects into the vm, the pre-request scripts could potentially escape the sandbox environment, leading to unauthorized access or execution of sensitive operations within the CI pipeline. This issue has been addressed and resolved in version 0.8.0.

Affected Version(s)

hoppscotch >= 0.5.0, < 0.8.0

References

https://github.com/hoppscotch/hoppscotch/security/advisor...
x_refsource_CONFIRM
https://github.com/hoppscotch/hoppscotch/commit/22c6eabd1...
x_refsource_MISC
https://www.sonarsource.com/blog/scripting-outside-the-bo...
x_refsource_MISC

CVSS V3.1

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.