CVE-2024-23339

MEDIUM

hoolock 2.0.0-2.2.1 - Prototype Pollution via Object Path Utility Functions

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-23339. PoCs published by 200101WhoAmI.

AI-analyzed exploit summary This repository provides a detailed explanation of CVE-2024-23339, a prototype pollution vulnerability in the 'hoolock' Node.js package. It describes how utility functions (get, set, update) failed to block prototype access/alteration, leading to potential security issues.

Description

hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. Starting in version 2.0.0 and prior to version 2.2.1, utility functions related to object paths (`get`, `set`, and `update`) did not block attempts to access or alter object prototypes. Starting in version 2.2.1, the `get`, `set` and `update` functions throw a `TypeError` when a user attempts to access or alter inherited properties.

Exploits (1)

nomisec WRITEUP
by 200101WhoAmI · poc
https://github.com/200101WhoAmI/CVE-2024-23339

This repository provides a detailed explanation of CVE-2024-23339, a prototype pollution vulnerability in the 'hoolock' Node.js package. It describes how utility functions (get, set, update) failed to block prototype access/alteration, leading to potential security issues.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: hoolock (Node.js package) versions 2.0.0 to 2.2.0
No auth needed
Prerequisites: Target using vulnerable version of hoolock package
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.3
EPSS 0.1234
EPSS Percentile 94.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-1321
Status published
Products (2)
elijahharry/hoolock 2.0.0 - 2.2.1
npm/hoolock 2.0.0 - 2.2.1npm
Published Jan 22, 2024
Tracked Since Feb 18, 2026