Observations The Hoppscotch desktop app takes multiple precautions to be secure against arbitrary JavaScript and system command execution. It does not render user-controlled HTML or Markdown, uses Tauri instead of Electron, and sandboxes pre-request scripts with a simple yet secure implementation using web workers. Unfortunately, web workers are not available in a pure Node.js application like Hoppscotch CLI. That is why the @hoppscotch/js-sandbox package also provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code, as stated in the documentation. This is because code inside the vm context can break out if it can get a hold of any reference to an object created outside of the vm. In the case of @hoppscotch/js-sandbox, multiple references to external objects are passed into the vm context to allow pre-request scripts interactions with environment variables and more. But this also allows the pre-request script to escape the sandbox. packages/hoppscotch-js-sandbox/src/pre-request/node-vm/index.ts “`js const { pw, updatedEnvs } = getPreRequestScriptMethods(envs) // Expose pw to the context context.pw = pw context.atob = atob context.btoa = btoa // Run the pre-request script in the provided context runInContext(preRequestScript, context) “` Exploitation An attacker can use the exposed pw object reference to escape the sandbox and execute arbitrary system commands using the child_process Node.js…Read More