CVE-2025-3193
published 2025-09-27CVE-2025-3193: Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.48%
37.9th percentile
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted. This is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421). **NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| algolia | algoliasearch-helper | >= 2.0.0 < 3.11.2 | 3.11.2 |
| algolia | algoliasearch-helper | >= 2.0.0-rc1 < 3.11.2 | 3.11.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
ghsa·2025-09-27·CVSS 9.8
CVE-2025-3193 [CRITICAL] CWE-1321 algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted.
This is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421).
**NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.
OSV
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
osv·2025-09-27·CVSS 9.8
CVE-2025-3193 [CRITICAL] algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted.
This is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421).
**NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.
Red Hat
algoliasearch-helper: algoliasearch-helper prototype pollution
vendor_redhat·2025-09-27·CVSS 5.9
CVE-2025-3193 [MEDIUM] CWE-1321 algoliasearch-helper: algoliasearch-helper prototype pollution
algoliasearch-helper: algoliasearch-helper prototype pollution
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted.
This is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421).
**NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.
A prototype pollution flaw has been discovered in the npm algoliasearc
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-3193 golang-github-task: algoliasearch-helper prototype pollution [fedora-42]
bugzilla·2025-09-29·CVSS 7.5
CVE-2025-3193 [HIGH] CVE-2025-3193 golang-github-task: algoliasearch-helper prototype pollution [fedora-42]
CVE-2025-3193 golang-github-task: algoliasearch-helper prototype pollution [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug r
Bugzilla
CVE-2025-3193 h3: algoliasearch-helper prototype pollution [fedora-42]
bugzilla·2025-09-29·CVSS 7.5
CVE-2025-3193 [HIGH] CVE-2025-3193 h3: algoliasearch-helper prototype pollution [fedora-42]
CVE-2025-3193 h3: algoliasearch-helper prototype pollution [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from rele
2025-09-27
Published