2399887 – (CVE-2025-3193) CVE-2025-3193 algoliasearch-helper: algoliasearch-helper prototype pollution

Bug 2399887 (CVE-2025-3193) - CVE-2025-3193 algoliasearch-helper: algoliasearch-helper prototype pollution

Summary: CVE-2025-3193 algoliasearch-helper: algoliasearch-helper prototype pollution

Keywords:
Status:	NEW
Alias:	CVE-2025-3193
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2400141 2400142 2400143 2400144 2400145 2400146 2400147 2400148 2400149
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-27 06:01 UTC by OSIDB Bzimport
Modified:	2025-09-29 16:35 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-27 06:01:24 UTC

Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted.

This is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421).

**NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.

Note You need to log in before you can comment on or make changes to this bug.