CVE-2024-34714
📋 TL;DR
The Hoppscotch Browser Extension vulnerability allows any website to send messages to the extension and receive responses, bypassing CORS restrictions. This affects all users running vulnerable versions of the extension, enabling malicious sites to interact with the extension's APIs without proper origin validation.
💻 Affected Systems
- Hoppscotch Browser Extension
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious websites could use the extension to make unauthorized API requests, potentially accessing internal systems, exfiltrating data, or performing actions on behalf of the user.
Likely Case
Attackers could use the extension to bypass CORS policies and make cross-origin requests to internal APIs or services that would normally be blocked.
If Mitigated
With proper controls, the extension would only respond to messages from approved origins, preventing unauthorized access.
🎯 Exploit Status
Proof of concept available at provided URL. Exploitation requires user to visit a malicious website with the vulnerable extension installed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.35
Vendor Advisory: https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v
Restart Required: No
Instructions:
1. Open your browser's extension management page. 2. Find Hoppscotch Extension. 3. Check for updates or manually update to version 0.35 or later. 4. The extension will automatically update if updates are enabled.
🔧 Temporary Workarounds
Chrome Extension Site Access Restriction
allLimit extension access to specific sites only in Chrome
🧯 If You Can't Patch
- Disable the Hoppscotch Extension completely until patched
- Use browser settings to restrict extension permissions to trusted sites only
🔍 How to Verify
Check if Vulnerable:
Check extension version in browser extensions page. If version is below 0.35, you are vulnerable.Check Version:
Browser-specific: Chrome: chrome://extensions/, Firefox: about:addonsVerify Fix Applied:
Confirm extension version is 0.35 or higher in browser extensions settings.📡 Detection & Monitoring
Log Indicators:
- Unusual extension activity logs
- Unexpected cross-origin requests from browser
Network Indicators:
- Unexpected API calls originating from browser extension context
- CORS policy violations that shouldn't be possible
SIEM Query:
Search for browser extension process making network requests to unexpected domains or internal APIs🔗 References
- https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6
- https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58
- https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v
- https://server.yadhu.in/poc/hoppscotch-poc.html
- https://github.com/hoppscotch/hoppscotch-extension/commit/7e364b928ab722dc682d0fcad713a96cc38477d6
- https://github.com/hoppscotch/hoppscotch-extension/commit/d4e8e4830326f46ba17acd1307977ecd32a85b58
- https://github.com/hoppscotch/hoppscotch-extension/security/advisories/GHSA-jjh5-pvqx-gg5v
- https://server.yadhu.in/poc/hoppscotch-poc.html
