ExtensionPedia
Hola VPN - Your Website Unblocker

Hola VPN - Your Website Unblocker

The easiest way to access the Borderless Internet, Hola VPN gets you Access to the global online content you want!

Risk Analysis CVEs Behavioral Detections Permissions Host Permissions Secrets Privacy policy
Send Feedback
Risk Summary

7.1 /10

High Risk

For extension version 1.251.527

Latest Version
Critical Permissions Severity
1 CVE
Updated Version Age
Manifest V3
Available in Chrome Web Store
Privacy Policy Available
Fair Engagement Rate
CVEs (1)
ID Severity CVSS
CVE-2026-27601

Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _.flatten. In the case of _.isEqual, the vulnerability can only be exploited if there exists a code path in which two distinct datastructures that were submitted by the same remote client are compared using _.isEqual. For example, if a client submits data that are stored in a database, and the same client can later submit another datastructure that is then compared to the data that were saved in the database previously, OR if a client submits a single request, but its data are parsed twice, creating two non-identical but equivalent datastructures that are then compared. Exceptions originating from the call to _.flatten or _.isEqual, as a result of a stack overflow, are not being caught. This vulnerability is fixed in 1.13.8.

Major
7.5
Behavioral Detections

Behavioral Detections

Unlock the full MITRE ATT&CK matrix

Request a Demo
Permissions (10)
Name Severity
Cookies

Extensions with the cookies permission can retrieve and modify cookies (requires host permissions).

Critical
Management

Extensions with the management permission can manage your installed apps, extensions, and themes. If the extension is force-installed, it can disable other extensions.

Critical
Request Read

Access to network traffic

Critical
Scripting

Extensions with the scripting permission can inject and execute code in web pages, which can potentially be used for data exfiltration or session hijacking (requires host permissions, available since Manifest V3).

Critical
Declarative Net Request

Extensions with the declarativeNetRequest permission can block network requests without requiring host permissions, and redirect requests and modify headers if it has host permissions.

High
Proxy

Extensions with the proxy permission can configure how the user's internet traffic is routed, which can be exploited for data theft, man-in-the-middle (MITM) attacks, phishing, and bypassing network security measures.

High
Tabs

Extensions with the tabs permission can query the url, pendingUrl, title, and favIconUrl of any tab.

High
Web Navigation

Extensions with the webNavigation permission can track websites the user visits by listening to navigation events.

High
Storage

Extensions with the storage permission can store and retrieve user data, which can persist even after clearing the cache and browsing history.

Medium
Web Request Auth Provider

Enables browser extensions to handle HTTP authentication requests and provide authentication credentials automatically

Medium
Host Permissions (1)
*://*/*
Secrets

No Secrets Found

No exposed API keys or credentials were detected

Privacy Policy

Privacy Policy

Unlock privacy policy risk assessment

Request a Demo