Miggo Logo
Miggo Vulnerability Database
CVE-2024-23339

CVE-2024-23339: Prototype pollution not blocked by object-path related utilities in hoolock

6.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-23339
GHSA ID
GHSA-4c2g-hx49-7h25
EPSS Score
0.92575%
CWE
CWE-1321
Published
1/23/2024
Updated
11/12/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
hoolocknpm>= 2.0.0, < 2.2.12.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The advisory explicitly names get/set/update as the vulnerable functions that lacked prototype pollution protections. These utilities handled path-based operations without validating if the target properties were part of the object's own properties (via hasOwnProperty checks) or blocking prototype-related paths like proto. The patch adds TypeErrors for inherited properties, confirming these were the entry points for pollution.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Utility *un*tions r*l*t** to o*j**t p*t*s (`**t`, `s*t` *n* `up**t*`) *i* not *lo*k *tt*mpts to ****ss or *lt*r o*j**t prototyp*s. ### P*t***s T** `**t`, `s*t` *n* `up**t*` *un*tions will t*row * `Typ**rror` w**n * us*r *tt*mpts to ****ss

Reasoning

T** **visory *xpli*itly n*m*s **t/s*t/up**t* *s t** vuln*r**l* *un*tions t**t l**k** prototyp* pollution prot**tions. T**s* utiliti*s **n*l** p*t*-**s** op*r*tions wit*out v*li**tin* i* t** t*r**t prop*rti*s w*r* p*rt o* t** o*j**t's own prop*rti*s (