@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside the vm context can break out if it can get a hold of any reference to an object created outside of the vm. In the case of @hoppscotch/js-sandbox, multiple references to external objects are passed into the vm context to allow pre-request scripts interactions with environment variables and more. But this also allows the pre-request script to escape the sandbox. This vulnerability is fixed in 0.8.0.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-05-08T14:16:38.206Z
Updated: 2024-08-02T02:51:10.919Z
Reserved: 2024-05-02T06:36:32.437Z
Link: CVE-2024-34347
Vulnrichment
Updated: 2024-08-02T02:51:10.919Z
NVD
Status : Awaiting Analysis
Published: 2024-05-08T15:15:11.310
Modified: 2024-11-21T09:18:28.767
Link: CVE-2024-34347
Redhat
No data.