CVE-2024-23339: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

January 23, 2024

hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (get, set, and update) does not block attempts to access or alter object prototypes. Starting in version 2.2.1, the get, set and update functions throw a TypeError when a user attempts to access or alter inherited properties.

References

github.com/advisories/GHSA-4c2g-hx49-7h25
github.com/elijahharry/hoolock/commit/97ae80e856774335d92743c635ffeae2f652b982
github.com/elijahharry/hoolock/security/advisories/GHSA-4c2g-hx49-7h25
nvd.nist.gov/vuln/detail/CVE-2024-23339

Detect and mitigate CVE-2024-23339 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →