cvedb.io
CVE-2025-3193
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2025-09-27T05:15:30.253 · Last modified 2026-06-17T09:19:23.750

Summary

Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted. This is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421). **NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.

Affected products

algolia — algoliasearch-helper

Does this affect you?

Add your gear to cvedb and we'll alert you only when algolia ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.