Critical severityOSV Advisory· Published Nov 19, 2021· Updated Sep 16, 2024

Prototype Pollution

CVE-2021-23433

Description

The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
algoliasearch-helpernpm	< 3.6.2	3.6.2

Affected products

Algolia/Algoliasearch Helper JsOSV
Range: 1.0.0, 2.0.1, 2.0.2, …

Patches

4ff542b70b92

fix(SearchParameters): ignore invalid parameters (#880)

https://github.com/algolia/algoliasearch-helper-jsHaroen ViaeneOct 19, 2021via ghsa

commit

4 files changed · +34 −3

src/functions/merge.js+8 −2 modified

@@ -21,7 +21,10 @@ function _merge(target, source) {
   }
 
   for (var key in source) {
-    if (!Object.prototype.hasOwnProperty.call(source, key)) {
+    if (
+      !Object.prototype.hasOwnProperty.call(source, key) ||
+      key === '__proto__'
+    ) {
       continue;
     }
 
@@ -32,7 +35,10 @@ function _merge(target, source) {
       continue;
     }
 
-    if (isObjectOrArrayOrFunction(targetVal) && isObjectOrArrayOrFunction(sourceVal)) {
+    if (
+      isObjectOrArrayOrFunction(targetVal) &&
+      isObjectOrArrayOrFunction(sourceVal)
+    ) {
       target[key] = _merge(targetVal, sourceVal);
     } else {
       target[key] = clone(sourceVal);

test/spec/functions/defaultsPure.js+13 −0 modified

@@ -92,3 +92,16 @@ it('should keep the keys order when adding facet refinements', function() {
   );
   expect(Object.keys(actual)).toEqual(['facet1', 'facet2']);
 });
+
+it('does not pollute the prototype', () => {
+  var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable to PP"}}');
+  var subject = {};
+
+  expect(subject.polluted).toBe(undefined);
+
+  const out = defaults({}, payload);
+
+  expect(out).toEqual({});
+
+  expect({}.polluted).toBe(undefined);
+});

test/spec/functions/intersection.js+0 −1 modified

@@ -18,4 +18,3 @@ test('it should not produce duplicate primitive values', function() {
     '2'
   ]);
 });
-

test/spec/functions/merge.js+13 −0 modified

@@ -170,3 +170,16 @@ it('should not convert strings to arrays when merging arrays of `source`', funct
 
   expect(actual).toStrictEqual({a: ['x', 'y', 'z']});
 });
+
+it('does not pollute the prototype', () => {
+  var payload = JSON.parse('{"__proto__": {"polluted": "vulnerable to PP"}}');
+  var subject = {};
+
+  expect(subject.polluted).toBe(undefined);
+
+  const out = merge({}, payload);
+
+  expect(out).toEqual({});
+
+  expect({}.polluted).toBe(undefined);
+});

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-vpf5-82c8-9v36ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-23433ghsaADVISORY
github.com/algolia/algoliasearch-helper-js/blob/3.5.5/src/SearchParameters/index.js%23L291ghsax_refsource_MISCWEB
github.com/algolia/algoliasearch-helper-js/commit/4ff542b70b92a6b81cce8b9255700b0bc0817eddghsax_refsource_MISCWEB
snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000