CVE-2021-23433

Name of the Vulnerable Software and Affected Versions algoliasearch-helper versions prior to 3.6.2

Description The issue arises from the use of the merge function in src/SearchParameters/index.js, specifically in the SearchParameters. parseNumbers function, without protection against prototype properties, leading to Prototype Pollution. This is only exploitable if the implementation allows users to define arbitrary search patterns.

Recommendations For versions prior to 3.6.2, update to version 3.6.2 or later to resolve the issue. As a temporary workaround, consider restricting user input to prevent arbitrary search patterns.