CVE-2025-3193

Name of the Vulnerable Software and Affected Versions algoliasearch-helper versions 2.0.0-rc1 through 3.11.2

Description The package contains a Prototype Pollution issue in the merge() function within the merge.js file. This allows modification of the constructor.prototype, potentially leading to code execution if errors are caught and user-supplied search parameters are injected. This is a distinct issue from another reported problem. The vulnerability is not exploitable in the default configuration of InstantSearch because search parameters are not user-modifiable.

Recommendations Update to a version after 3.11.2.