CVE-2024-34347 HIGH

CVE-2024-34347: @hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE

Vendor Hoppscotch
Product hoppscotch
Weakness CWE-77
Published May 8, 2024
Last update June 10, 2025

CVSS base score

8.4/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside the vm context can break out if it can get a hold of any reference to an object created outside of the vm. In the case of @hoppscotch/js-sandbox, multiple references to external objects are passed into the vm context to allow pre-request scripts interactions with environment variables and more. But this also allows the pre-request script to escape the sandbox. This vulnerability is fixed in 0.8.0.

Key dates

02Disclosure timeline

May 8, 2024 CVE published
June 10, 2025 Record updated