VYPR
← All advisories
Moderate severityOSV Advisory· Published Sep 27, 2025· Updated Oct 4, 2025

CVE-2025-3193

CVE-2025-3193

Description

Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted. This is related to but distinct from the issue reported in CVE-2021-23433. NOTE: This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Prototype Pollution in algoliasearch-helper's merge.js allows code injection under specific conditions, but not exploitable by default.

Vulnerability

Overview CVE-2025-3193 is a Prototype Pollution vulnerability in the algoliasearch-helper library for JavaScript. The flaw resides in the _merge() function within merge.js, affecting versions from 2.0.0-rc1 up to (but not including) 3.11.2 [1][2]. The function incorrectly allows writing to constructor.prototype, even though such assignment throws an error in JavaScript. This is distinct from the previously disclosed CVE-2021-23433 [1].

Exploitation

Details Exploitation requires that the error thrown by writing to constructor.prototype is caught by the application [1]. An attacker must be able to supply user-controlled searchParameters to the merge function. However, the official advisory notes that this vulnerability is not exploitable in the default configuration of InstantSearch, as end-users cannot modify searchParameters [1][2]. The attack vector relies on Prototype Pollution, which can eventually lead to remote code execution if combined with other gadgets [2].

Impact

If successfully exploited, an attacker could inject arbitrary code via polluting the Object prototype, leading to potential remote code execution [2]. However, the practical risk is mitigated by the requirement that the error be caught and that the application must accept user-modified search parameters, which is not the default in InstantSearch [1].

Mitigation

The vulnerability is fixed in version 3.11.2 of algoliasearch-helper [1]. Users should update to this version or later. The issue was reported and addressed in the library's GitHub repository [3][4].

References
  1. NVD - CVE-2025-3193
  2. Snyk Vulnerability Database | Snyk
  3. GitHub - algolia/algoliasearch-helper-js: Helper for implementing advanced search features with Algolia
  4. Prototype pollution found in merge.js

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
algoliasearch-helpernpm
>= 2.0.0-rc1, < 3.11.23.11.2

Affected products

1

Patches

1
776dff23c87b

fix(constructor): prevent prototype pollution in rare error-cases

https://github.com/algolia/algoliasearch-helper-jsHaroen ViaeneJan 9, 2023via ghsa
commit
3 files changed · +27 1
  • src/functions/merge.js+2 1 modified
    @@ -23,7 +23,8 @@ function _merge(target, source) {
   for (var key in source) {
     if (
       !Object.prototype.hasOwnProperty.call(source, key) ||
-      key === '__proto__'
+      key === '__proto__' ||
+      key === 'constructor'
     ) {
       continue;
     }
  • test/spec/algoliasearch.helper/constructor.js+13 0 added
    @@ -0,0 +1,13 @@
+'use strict';
+
+var algoliasearchHelper = require('../../../index');
+
+test('not vulnerable to prototype pollution', () => {
+  try {
+    algoliasearchHelper({}, '', {constructor: {prototype: {test: 123}}});
+  } catch (e) {
+    // even if it throws an error, we need to be sure no vulnerability happens
+  }
+
+  expect({}.test).toBeUndefined();
+});
  • test/spec/functions/merge.js+12 0 modified
    @@ -183,3 +183,15 @@ it('does not pollute the prototype', () => {
 
   expect({}.polluted).toBe(undefined);
 });
+
+it('does not pollute the prototype in error condition', () => {
+  expect({}.polluted).toBe(undefined);
+
+  try {
+    merge({}, {'constructor': {'prototype': {'polluted': 'vulnerable to PP'}}});
+  } catch (e) {
+    // ignore
+  }
+
+  expect({}.polluted).toBe(undefined);
+});

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.