{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47894?format=json","vulnerability_id":"VCID-phmt-ta9r-guh1","summary":"algoliasearch-helper is vulnerable to Prototype Pollution in _merge()\nVersions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the \"extreme edge-case\" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted.\n\nThis is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421).\n\n**NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.","aliases":[{"alias":"CVE-2025-3193"},{"alias":"GHSA-529q-4j3p-7c5r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70657?format=json","purl":"pkg:npm/algoliasearch-helper@3.11.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/algoliasearch-helper@3.11.2"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70656?format=json","purl":"pkg:npm/algoliasearch-helper@2.0.0-rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-phmt-ta9r-guh1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/algoliasearch-helper@2.0.0-rc1"}],"references":[{"reference_url":"https://github.com/algolia/algoliasearch-helper-js","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/algolia/algoliasearch-helper-js"},{"reference_url":"https://github.com/algolia/algoliasearch-helper-js/commit/776dff23c87b0902e554e02a8c2567d2580fe12a","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/algolia/algoliasearch-helper-js/commit/776dff23c87b0902e554e02a8c2567d2580fe12a"},{"reference_url":"https://github.com/algolia/algoliasearch-helper-js/issues/922","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/algolia/algoliasearch-helper-js/issues/922"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-3318396","reference_id":"","reference_type":"","scores":[],"url":"https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-3318396"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3193","reference_id":"CVE-2025-3193","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-3193"},{"reference_url":"https://github.com/advisories/GHSA-529q-4j3p-7c5r","reference_id":"GHSA-529q-4j3p-7c5r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-529q-4j3p-7c5r"}],"weaknesses":[{"cwe_id":1321,"name":"Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')","description":"The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."},{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-phmt-ta9r-guh1"}