CVE-2024-34347 is a high-severity command injection vulnerability affecting the hoppscotch project, specifically versions >= 0.5.0 and < 0.8.0. Hoppscotch is a tool used for API testing, and its CLI (@hoppscotch/cli) enables running test scripts in continuous integration (CI) environments. The vulnerability arises from the @hoppscotch/js-sandbox package, which implements a JavaScript sandbox using Node.js's vm module. The vm module is known to be unsafe for sandboxing untrusted code because if the sandboxed code gains access to references of objects created outside the vm context, it can escape the sandbox and execute arbitrary commands. In hoppscotch, multiple references to external objects are deliberately passed into the vm context to allow pre-request scripts to interact with environment variables and other data. However, this design flaw allows malicious pre-request scripts to break out of the sandbox and perform command injection attacks. This can lead to full compromise of the host environment where the CLI is running. The vulnerability affects confidentiality, integrity, and availability, as attackers can execute arbitrary commands, potentially stealing sensitive data, modifying or deleting resources, or disrupting service. The issue was fixed in version 0.8.0 by presumably removing or restricting unsafe references passed into the vm context. The CVSS 3.1 score is 8.4 (high), reflecting network attack vector, high impact on confidentiality, integrity, and availability, no privileges required, but user interaction is needed (running a malicious pre-request script). No known exploits are reported in the wild yet. This vulnerability is a classic example of CWE-77 (Improper Neutralization of Special Elements used in a Command), i.e., command injection due to unsafe handling of input and sandbox escape. Organizations using hoppscotch CLI in CI pipelines with vulnerable versions are at risk if untrusted or malicious test scripts are executed.

For European organizations, the impact of CVE-2024-34347 can be significant, especially for those relying on hoppscotch CLI for automated API testing in their CI/CD pipelines. Successful exploitation could allow attackers to execute arbitrary commands on build or test servers, leading to potential data breaches, unauthorized access to internal systems, and disruption of development workflows. This could result in leakage of sensitive business or customer data, tampering with code or test results, and downtime of critical development infrastructure. Organizations in sectors with strict data protection regulations such as GDPR (e.g., finance, healthcare, government) face heightened risks of regulatory penalties and reputational damage if this vulnerability is exploited. Additionally, CI environments often have elevated privileges or access to production-like environments, increasing the severity of a compromise. Since the vulnerability requires user interaction (running malicious scripts), the risk is higher in environments where third-party or community-contributed test scripts are used without strict validation. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate it, as attackers may develop exploits rapidly once the vulnerability is public.

1. Upgrade hoppscotch CLI to version 0.8.0 or later immediately to apply the fix that removes the unsafe sandbox escape vectors. 2. Implement strict validation and code review processes for all pre-request scripts used in CI pipelines to ensure no untrusted or malicious code is executed. 3. Restrict execution of hoppscotch CLI and related testing tools to isolated environments with minimal privileges and network access to limit potential damage from exploitation. 4. Use containerization or sandboxing technologies external to Node.js vm to isolate test execution environments more securely. 5. Monitor CI/CD pipeline logs and system activity for unusual command execution or anomalies that could indicate exploitation attempts. 6. Educate developers and DevOps teams about the risks of running untrusted scripts and enforce policies to prevent unauthorized script injection. 7. If upgrading immediately is not possible, consider disabling or restricting the use of pre-request scripts in hoppscotch CLI until patched. 8. Maintain an inventory of affected versions in use and track updates from hoppscotch for any further advisories.