FKIE_CVE-2024-34347

Vulnerability from fkie_nvd - Published: 2024-05-08 15:15 - Updated: 2025-06-10 16:15
Severity ?
8.3 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside the vm context can break out if it can get a hold of any reference to an object created outside of the vm. In the case of @hoppscotch/js-sandbox, multiple references to external objects are passed into the vm context to allow pre-request scripts interactions with environment variables and more. But this also allows the pre-request script to escape the sandbox. This vulnerability is fixed in 0.8.0.
References
security-advisories@github.comhttps://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01
security-advisories@github.comhttps://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr
security-advisories@github.comhttps://www.sonarsource.com/blog/scripting-outside-the-box-api-client-security-risks-part-2
af854a3a-2127-422b-91ae-364da2661108https://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01
af854a3a-2127-422b-91ae-364da2661108https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside the vm context can break out if it can get a hold of any reference to an object created outside of the vm. In the case of @hoppscotch/js-sandbox, multiple references to external objects are passed into the vm context to allow pre-request scripts interactions with environment variables and more. But this also allows the pre-request script to escape the sandbox. This vulnerability is fixed in 0.8.0."
    },
    {
      "lang": "es",
      "value": "@hoppscotch/cli es una CLI para ejecutar scripts de prueba de Hoppscotch en entornos de CI. Antes de 0.8.0, el paquete @hoppscotch/js-sandbox proporciona un entorno limitado de Javascript que utiliza el m\u00f3dulo vm de Node.js. Sin embargo, el m\u00f3dulo vm no es seguro para el c\u00f3digo Javascript que no es de confianza. Esto se debe a que el c\u00f3digo dentro del contexto de la m\u00e1quina virtual puede romperse si puede obtener cualquier referencia a un objeto creado fuera de la m\u00e1quina virtual. En el caso de @hoppscotch/js-sandbox, se pasan m\u00faltiples referencias a objetos externos al contexto de la m\u00e1quina virtual para permitir interacciones de scripts de solicitud previa con variables de entorno y m\u00e1s. Pero esto tambi\u00e9n permite que el script de solicitud previa escape del entorno limitado. Esta vulnerabilidad se solucion\u00f3 en 0.8.0."
    }
  ],
  "id": "CVE-2024-34347",
  "lastModified": "2025-06-10T16:15:34.867",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.3,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-08T15:15:11.310",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://www.sonarsource.com/blog/scripting-outside-the-box-api-client-security-risks-part-2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-77"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.