Vulnerability	Vulnerable Version
H Prototype Pollution algoliasearch-helper is a Helper for implementing advanced search features with algolia Affected versions of this package are vulnerable to Prototype Pollution in the `_merge()` function in `merge.js`, which allows `constructor.prototype` to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted. This is related to but distinct from the issue reported in CVE-2021-23433. NOTE: This vulnerability is not exploitable in the default configuration of `InstantSearch` since `searchParameters` are not modifiable by users. How to fix Prototype Pollution? Upgrade `algoliasearch-helper` to version 3.11.2 or higher.	>=2.0.0-rc1 <3.11.2
M Prototype Pollution algoliasearch-helper is a Helper for implementing advanced search features with algolia Affected versions of this package are vulnerable to Prototype Pollution due to use of the `merge` function in `src/SearchParameters/index.js#SearchParameters._parseNumbers` without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns. PoC `// Run npm i algoliasearch-helper, then run the below code const algohelp = require('algoliasearch-helper') var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable to PP"}}'); var test = {}; console.log("Before: " + test.polluted); // Before: undefined algohelp.SearchParameters._parseNumbers(payload); // {} console.log("After: " + test.polluted); // After: vulnerable to PP` How to fix Prototype Pollution? Upgrade `algoliasearch-helper` to version 3.6.2 or higher.	<3.6.2

Prototype Pollution

algoliasearch-helper is a Helper for implementing advanced search features with algolia

Affected versions of this package are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted.

This is related to but distinct from the issue reported in CVE-2021-23433.

NOTE: This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.

How to fix Prototype Pollution?

Upgrade algoliasearch-helper to version 3.11.2 or higher.

>=2.0.0-rc1 <3.11.2

Prototype Pollution

algoliasearch-helper is a Helper for implementing advanced search features with algolia

Affected versions of this package are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.js#SearchParameters._parseNumbers without any protection against prototype properties.

Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.

PoC

// Run npm i algoliasearch-helper, then run the below code
const algohelp = require('algoliasearch-helper')
var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable to PP"}}');
var test = {};
console.log("Before: " + test.polluted); // Before: undefined
algohelp.SearchParameters._parseNumbers(payload); // {}
console.log("After: " + test.polluted); // After: vulnerable to PP

How to fix Prototype Pollution?

Upgrade algoliasearch-helper to version 3.6.2 or higher.

<3.6.2

Go back to all versions of this package