CVE-2024-34347: 
JavaScript vulnerability analysis and mitigation

The @hoppscotch/cli package, a CLI tool for running Hoppscotch Test Scripts in CI environments, contains a sandbox escape vulnerability in versions prior to 0.8.0. The vulnerability exists in the @hoppscotch/js-sandbox package which uses Node.js vm module for JavaScript sandboxing. The issue was discovered on May 8, 2024, and has been assigned CVE-2024-34347 with a CVSS score of 8.3 (HIGH) (GitHub Advisory).

The vulnerability stems from the unsafe use of Node.js vm module for sandboxing untrusted JavaScript code. The vm module is known to be unsafe for sandboxing as code inside the vm context can break out if it gains access to any reference to an object created outside of the vm. In @hoppscotch/js-sandbox, multiple references to external objects are passed into the vm context to enable pre-request scripts interactions with environment variables, which inadvertently allows the pre-request script to escape the sandbox (GitHub Advisory).

An attacker can exploit this vulnerability to execute arbitrary system commands on the victim's machine. The attack vector requires creating a malicious Hoppscotch collection containing a request with a malicious pre-request script and sharing it with a victim. When the victim runs the collection using the Hoppscotch CLI, the malicious pre-request script executes with system-level privileges. This vulnerability does not affect Hoppscotch Web or Desktop versions, as they use a secure web worker sandboxing approach (GitHub Advisory).

The vulnerability has been fixed in version 0.8.0 of @hoppscotch/cli. For tools that rely on @hoppscotch/js-sandbox but don't have access to a browser, it is recommended to use alternative safe JavaScript sandboxing libraries such as isolated-vm. The use of vm2 is discouraged as it is deprecated due to arbitrary bypasses. Additionally, users are advised not to run untrusted collections as they can lead to Remote Code Execution (GitHub Advisory).