
We found results for “”
CVE-2025-3193
Good to know:



Date: September 27, 2025
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted. This is related to but distinct from the issue reported in "CVE-2021-23433" (https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421). NOTE: This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.
Severity Score
Related Resources (5)
Severity Score
Weakness Type (CWE)
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-1321Top Fix

Upgrade Version
Upgrade to version algoliasearch-helper - 3.11.2;algoliasearch-helper - 3.11.2;algoliasearch-helper-js - 3.11.2;https://github.com/algolia/algoliasearch-helper-js.git - 3.11.2
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | NONE |
Integrity (I): | NONE |
Availability (A): | HIGH |