hoolock does not block Prototype pollution with object-path related utilities

Vulnerability

Overview

CVE-2024-23339 is a prototype pollution vulnerability in hoolock, a lightweight utility library focused on maintaining a small bundle footprint [1]. From version 2.0.0 up to (but not including) version 2.2.1, the get, set, and update functions that handle object paths did not prevent access or modification of object prototypes [1]. This means an untrusted value submitted to these functions could pollute the Object prototype, leading to unexpected behavior across the application.

Attack

Surface and Exploitation

Exploitation requires an attacker to be able to supply a crafted object path—for example, __proto__ or constructor.prototype—to one of the vulnerable utility functions [1]. The set function is particularly dangerous because it allows direct assignment of properties along an arbitrary path, and without input sanitization the attacker can overwrite prototype properties. The attack does not require authentication beyond the ability to interact with functionality that uses hoolock's object-path utilities [1].

Impact

A successful prototype pollution attack can lead to property injection, denial of service, or—in some contexts—remote code execution if polluted properties affect security-sensitive logic or downstream deserialization. By altering inherited properties shared by all objects, the attacker can modify the behavior of the entire JavaScript runtime in a way that persists for the lifetime of the process [1].

Mitigation

The maintainers resolved the issue in hoolock version 2.2.1 by making the get, set, and update functions throw a TypeError whenever a user attempts to access or alter inherited properties [1]. Users should update to at least version 2.2.1; if upgrading is not immediately possible, any code that passes untrusted input to these functions should be audited and sanitized to block prototype-key patterns [2].