CVE-2025-3193
BaseFortify
Publication date: 2025-09-27
Last updated on: 2025-10-05
Assigner: Snyk
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| algolia | algoliasearch-helper | From 2.0.0 (inc) to 3.11.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Prototype Pollution issue in the _merge() function of the algoliasearch-helper package (versions 2.0.0-rc1 to before 3.11.2). It allows the constructor.prototype to be written to, which normally throws an error. In a rare edge case where this error is caught, malicious code injected via the user-supplied search parameter could be executed. However, this vulnerability is not exploitable in the default configuration of InstantSearch because searchParameters cannot be modified by users.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow execution of malicious code through user-supplied search parameters, potentially leading to denial of service or other impacts on availability. However, exploitation requires an unusual edge case and is not possible in default InstantSearch configurations.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the algoliasearch-helper package to a version later than 3.11.2, as versions 2.0.0-rc1 and before 3.11.2 are vulnerable. Additionally, ensure that user-supplied searchParameters are not modifiable, as the vulnerability is not exploitable in the default configuration of InstantSearch where searchParameters cannot be modified by users.