@hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE — @hoppscotch / cli
Improper Neutralization of Special Elements used in a Command ('Command Injection')Observations
The Hoppscotch desktop app takes multiple precautions to be secure against arbitrary JavaScript and system command execution. It does not render user-controlled HTML or Markdown, uses Tauri instead of Electron, and sandboxes pre-request scripts with a simple yet secure implementation using web workers.
Unfortunately, web workers are not available in a pure Node.js application like Hoppscotch CLI. That is why the @hoppscotch/js-sandbox package also provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code, as stated in the documentation. This is because code inside the vm context can break out if it can get a hold of any reference to an object created outside of the vm.
In the case of @hoppscotch/js-sandbox, multiple references to external objects are passed into the vm context to allow pre-request scripts interactions with environment variables and more. But this also allows the pre-request script to escape the sandbox. packages/hoppscotch-js-sandbox/src/pre-request/node-vm/index.ts
const { pw, updatedEnvs } = getPreRequestScriptMethods(envs)
// Expose pw to the context
context.pw = pw
context.atob = atob
context.btoa = btoa
// Run the pre-request script in the provided context
runInContext(preRequestScript, context)
Exploitation
An attacker can use the exposed pw object reference to escape the sandbox and execute arbitrary system commands using the child_process Node.js module. This PoC pre-request script executes the id > /tmp/pwnd system command as soon as a request is sent.
outside = pw.constructor.constructor('return this')()
outside.process.mainModule.require('child_process').execSync('id > /tmp/pwnd')
An attacker who wants to run arbitrary code on the machine of a victim can create a Hoppscotch collection containing a request with a malicious pre-request script and share it with a victim, using the JSON export feature. The victim then has to run the collection with the Hoppscotch CLI. Then the malicious pre-request script executes.
Impact
This attack gives an attacker arbitrary command execution on the machine of a victim Hoppscotch CLI user. For the attack to succeed, an attacker has to lure the victim into downloading a malicious Hoppscotch collection and running it with the Hoppscotch CLI.
This issue does not impact Hoppscotch Web or Desktop, as they use the safe web worker sandboxing approach.
Recommendations
Hoppscotch CLI and other tools that rely on @hoppscotch/js-sandbox but don't have access to a browser cannot use the web worker sandbox. For these, you can look into other safe JavaScript sandboxing libraries. We think that isolated-vm looks promising. We discourage the use of vm2, which is deprecated because it has arbitrary bypasses. Alternatively, you can introduce an --enable-scripting flag for the CLI and disable scripting by default. Or you can change the threat model and educate users that they should not run untrusted collections as it can lead to RCE.
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime
Frequently Asked Questions
A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.
CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.
A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.
Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.
Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.
SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.