Bug 2399887 (CVE-2025-3193)

Summary: CVE-2025-3193 algoliasearch-helper: algoliasearch-helper prototype pollution
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alcohan, gparvin, jbalunas, jcantril, owatkins, pahickey, rhaigner, rojacob
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A prototype pollution flaw has been discovered in the npm algoliasearch-helper package. This flaw exists in the `_merge()` function in merge.js, which allows constructor.prototype to be written even though doing so throws an error.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2400141, 2400142, 2400143, 2400144, 2400145, 2400146, 2400147, 2400148, 2400149    
Bug Blocks:    

Description OSIDB Bzimport 2025-09-27 06:01:24 UTC 
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted.

This is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421).

**NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.