CVE-2024-34347 in cli
Summary
by MITRE • 05/08/2024
@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside the vm context can break out if it can get a hold of any reference to an object created outside of the vm. In the case of @hoppscotch/js-sandbox, multiple references to external objects are passed into the vm context to allow pre-request scripts interactions with environment variables and more. But this also allows the pre-request script to escape the sandbox. This vulnerability is fixed in 0.8.0.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/10/2025
The vulnerability identified as CVE-2024-34347 affects the @hoppscotch/cli package, specifically its js-sandbox implementation used for executing test scripts in continuous integration environments. This security flaw represents a critical sandbox escape vulnerability that undermines the fundamental security assumptions of the JavaScript execution environment. The issue stems from the improper use of Node.js vm module within the sandbox implementation, which fails to provide adequate isolation between trusted and untrusted code execution contexts. The vulnerability exists in versions prior to 0.8.0 where the sandbox mechanism was designed to facilitate interaction with environment variables and other external resources through the vm context, but inadvertently exposed references to external objects that could be exploited by malicious code.
The technical flaw manifests through the Node.js vm module's inherent limitations in providing secure sandboxing capabilities. According to CWE-242, this vulnerability directly relates to the use of dangerous functions that can lead to security issues when not properly isolated. The js-sandbox package passes multiple references to external objects into the vm context to enable legitimate pre-request script interactions with environment variables and other system resources. However, this design creates a security boundary breach where code executing within the vm context can access and manipulate objects outside of its intended scope. The vulnerability enables attackers to escape the sandbox by leveraging these external references, effectively breaking out of the isolated execution environment and gaining access to potentially sensitive system resources or data that should remain protected from script execution.
The operational impact of this vulnerability is significant within CI/CD environments where Hoppscotch Test Scripts are executed automatically. Attackers who can inject malicious code into pre-request scripts can potentially access environment variables, system resources, and other sensitive data that the sandbox was designed to protect. This vulnerability aligns with ATT&CK technique T1059.007 for Scripting and T1566.001 for Phishing, as it enables attackers to execute malicious code within legitimate CI/CD workflows. The exploitation of this vulnerability could lead to unauthorized access to secrets, credentials, and other sensitive information stored in environment variables. Additionally, the compromised CI environment could serve as a platform for further attacks, potentially leading to supply chain compromises or lateral movement within the organization's infrastructure.
Mitigation efforts should focus on upgrading to version 0.8.0 or later where the vulnerability has been addressed through improved sandboxing mechanisms. Organizations using affected versions should immediately implement additional security controls such as code scanning and validation of test scripts before execution. The fix likely involves implementing proper isolation techniques that prevent external object references from being accessible within the vm context, potentially through the use of vm.createContext with restricted globals or alternative sandboxing approaches that do not rely on the potentially insecure vm module. Security teams should also consider implementing runtime monitoring and anomaly detection for CI/CD environments to identify suspicious script execution patterns that could indicate exploitation attempts. Regular security assessments of development tools and dependencies should be conducted to identify similar vulnerabilities in other packages that may be used in automated testing and deployment processes.