CVE-2024-23339: 
JavaScript vulnerability analysis and mitigation

Hoolock, a suite of lightweight utilities designed for maintaining a small footprint when bundled, contains a vulnerability identified as CVE-2024-23339. The vulnerability affects versions from 2.0.0 up to (excluding) 2.2.1. The issue was discovered in utility functions related to object paths (get, set, and update) which failed to block attempts to access or alter object prototypes (NVD).

The vulnerability is classified as a prototype pollution issue (CWE-1321: Improperly Controlled Modification of Object Prototype Attributes). The CVSS v3.1 base score is 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The vulnerability specifically affects the object path utility functions (get, set, and update) which did not properly validate and block attempts to access or modify object prototypes (NVD).

The vulnerability could allow attackers to access or alter inherited properties of objects, potentially leading to prototype pollution attacks. This could result in unauthorized access to data and modification of application behavior through manipulation of object prototypes (FortiGuard).

The vulnerability has been patched in version 2.2.1, where the get, set and update functions now throw a TypeError when a user attempts to access or alter inherited properties. Users are advised to upgrade to version 2.2.1 or later to mitigate this vulnerability (NVD).