CVE-2024-34347
📋 TL;DR
This vulnerability allows pre-request scripts in Hoppscotch CLI to escape the JavaScript sandbox and execute arbitrary code on the host system. It affects users of @hoppscotch/cli versions before 0.8.0 who run untrusted test scripts in CI environments. The sandbox escape occurs because the vm module passes external object references to the sandbox context.
💻 Affected Systems
- @hoppscotch/cli
- @hoppscotch/js-sandbox
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with arbitrary code execution, allowing attackers to steal credentials, deploy malware, or pivot to other systems in the CI/CD pipeline.
Likely Case
Execution of malicious scripts within the CI environment, potentially exposing sensitive environment variables, API keys, and pipeline secrets.
If Mitigated
Limited impact if scripts are from trusted sources only, though the vulnerability still exists in the codebase.
🎯 Exploit Status
Exploitation requires ability to modify or inject pre-request scripts. Public technical details and proof-of-concept are available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.8.0
Vendor Advisory: https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr
Restart Required: No
Instructions:
1. Update @hoppscotch/cli to version 0.8.0 or later using npm: npm update @hoppscotch/cli. 2. Verify no dependencies are pinned to vulnerable versions. 3. Test updated version with existing test scripts.
🔧 Temporary Workarounds
Disable pre-request scripts
allTemporarily disable execution of pre-request scripts in CI pipelines until patching is complete.
Modify CI configuration to skip script execution or remove script sections from test files
Use isolated execution environment
linuxRun Hoppscotch CLI in a container or VM with minimal privileges to limit potential damage from sandbox escape.
docker run --rm -v $(pwd):/tests node:alpine npx @hoppscotch/cli
🧯 If You Can't Patch
- Restrict script sources to trusted repositories only
- Implement code review requirements for all test scripts before CI execution
🔍 How to Verify
Check if Vulnerable:
Check package.json or run: npm list @hoppscotch/cli @hoppscotch/js-sandboxCheck Version:
npm list @hoppscotch/cli --depth=0Verify Fix Applied:
Confirm installed version is 0.8.0 or higher: npx @hoppscotch/cli --version📡 Detection & Monitoring
Log Indicators:
- Unusual process spawns from Node.js runtime
- Unexpected file system access patterns
- Abnormal network connections from CI runners
Network Indicators:
- Outbound connections to unexpected destinations from CI infrastructure
- Data exfiltration patterns
SIEM Query:
process.name:node AND (process.args:*hoppscotch* OR process.args:*cli*) AND (process.parent.name:ci-runner OR process.parent.name:jenkins)🔗 References
- https://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01
- https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr
- https://www.sonarsource.com/blog/scripting-outside-the-box-api-client-security-risks-part-2
- https://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01
- https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr
