CVE-2024-23339 - Vulnerability Details - OpenCVE

hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block attempts to access or alter object prototypes. Starting in version 2.2.1, the `get`, `set` and `update` functions throw a `TypeError` when a user attempts to access or alter inherited properties.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.09783.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Elijahharry	Hoolock

Configuration 1 [-]

cpe:2.3:a:elijahharry:hoolock:*:*:*:*:*:node.js:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-0244	hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block attempts to access or alter object prototypes. Starting in version 2.2.1, the `get`, `set` and `update` functions throw a `TypeError` when a user attempts to access or alter inherited properties.
Github GHSA	GHSA-4c2g-hx49-7h25	Prototype pollution not blocked by object-path related utilities in hoolock

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982
https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25

History

Tue, 17 Jun 2025 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-22T22:54:53.096Z

Updated: 2025-06-17T21:19:25.952Z

Reserved: 2024-01-15T15:19:19.444Z

Link: CVE-2024-23339

Vulnrichment

Updated: 2025-06-17T21:16:08.619Z

NVD

Status : Modified

Published: 2024-01-22T23:15:08.413

Modified: 2024-11-21T08:57:32.477

Link: CVE-2024-23339

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23339", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-15T15:19:19.444Z", "datePublished": "2024-01-22T22:54:53.096Z", "dateUpdated": "2025-06-17T21:19:25.952Z"}, "containers": {"cna": {"title": "hoolock does not block Prototype pollution with object-path related utilities", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25"}, {"name": "https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982", "tags": ["x_refsource_MISC"], "url": "https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982"}], "affected": [{"vendor": "elijahharry", "product": "hoolock", "versions": [{"version": ">= 2.0.0, < 2.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-22T22:54:53.096Z"}, "descriptions": [{"lang": "en", "value": "hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block attempts to access or alter object prototypes. Starting in version 2.2.1, the `get`, `set` and `update` functions throw a `TypeError` when a user attempts to access or alter inherited properties."}], "source": {"advisory": "GHSA-4c2g-hx49-7h25", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.346Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25"}, {"name": "https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23339", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-23T21:32:25.688935Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T21:19:25.952Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23339", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-15T15:19:19.444Z", "datePublished": "2024-01-22T22:54:53.096Z", "dateUpdated": "2024-08-01T22:59:32.346Z"}, "containers": {"cna": {"title": "hoolock does not block Prototype pollution with object-path related utilities", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25"}, {"name": "https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982", "tags": ["x_refsource_MISC"], "url": "https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982"}], "affected": [{"vendor": "elijahharry", "product": "hoolock", "versions": [{"version": ">= 2.0.0, < 2.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-22T22:54:53.096Z"}, "descriptions": [{"lang": "en", "value": "hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block attempts to access or alter object prototypes. Starting in version 2.2.1, the `get`, `set` and `update` functions throw a `TypeError` when a user attempts to access or alter inherited properties."}], "source": {"advisory": "GHSA-4c2g-hx49-7h25", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23339", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-23T21:32:25.688935Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2025-06-17T21:16:08.619Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:elijahharry:hoolock:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "C4DE5F97-F88D-4551-9194-4620945DA9C9", "versionEndExcluding": "2.2.1", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block attempts to access or alter object prototypes. Starting in version 2.2.1, the `get`, `set` and `update` functions throw a `TypeError` when a user attempts to access or alter inherited properties."}, {"lang": "es", "value": "hoolock es un conjunto de utilidades livianas manipuladas para ocupar poco espacio cuando se incluyen en paquete. A partir de la versi\u00f3n 2.0.0 y antes de la versi\u00f3n 2.2.1, las funciones de utilidad relacionadas con las rutas de los objetos (`get`, `set` y `update`) no bloqueaban los intentos de acceder o alterar los prototipos de objetos. A partir de la versi\u00f3n 2.2.1, las funciones `get`, `set` y `update` arrojan un `TypeError` cuando un usuario intenta acceder o modificar propiedades heredadas."}], "id": "CVE-2024-23339", "lastModified": "2024-11-21T08:57:32.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-22T23:15:08.413", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Secondary"}]}