Description

Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted. This is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421). **NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.

INFO

Published Date :

2025-09-27T05:00:07.140Z

Last Modified :

2025-10-04T23:33:59.390Z

Source :

snyk
AFFECTED PRODUCTS

The following products are affected by CVE-2025-3193 vulnerability.

Vendors Products
Algolia
  • Algoliasearch-helper
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-3193.

URL Resource
https://github.com/algolia/algoliasearch-helper-js/commit/776dff23c87b0902e554e02a8c2567d2580fe12a cve-icon cve-icon cve-icon
https://github.com/algolia/algoliasearch-helper-js/issues/922 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-3193 cve-icon
https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-3318396 cve-icon cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-3193 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact