Login Sign Up

CVE-2025-3193

7.5 HIGH

📋 TL;DR

CVE-2025-3193 is a prototype pollution vulnerability in algoliasearch-helper's _merge() function that allows attackers to inject malicious code through user-supplied search parameters. This affects versions 2.0.0-rc1 through 3.11.1 when search parameters are modifiable by users. The vulnerability is not exploitable in default InstantSearch configurations.

💻 Affected Systems

Products:
  • algoliasearch-helper
Versions: 2.0.0-rc1 through 3.11.1
Operating Systems: All
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when search parameters are modifiable by users; default InstantSearch configuration is not vulnerable.

📦 What is this software?

Algoliasearch Helper by Algolia

View all CVEs affecting Algoliasearch Helper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or server takeover if error handling catches the pollution attempt and executes injected code.

🟠

Likely Case

Limited impact due to the extreme edge-case requirement and default InstantSearch protections, potentially causing application instability or denial of service.

🟢

If Mitigated

No impact when using default InstantSearch configuration or when user input validation prevents search parameter modification.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: HIGH

Exploitation requires catching the error thrown during prototype pollution, making this an extreme edge-case scenario.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.11.2

Vendor Advisory: https://github.com/algolia/algoliasearch-helper-js/commit/776dff23c87b0902e554e02a8c2567d2580fe12a

Restart Required: No

Instructions:

1. Update algoliasearch-helper to version 3.11.2 or later. 2. Run 'npm update algoliasearch-helper' or 'yarn upgrade algoliasearch-helper'. 3. Test application functionality after update.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation to prevent users from modifying search parameters.

Use Default InstantSearch Configuration

all

Ensure InstantSearch is used with default configuration where search parameters are not user-modifiable.

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user-supplied search parameters
  • Use web application firewall rules to block suspicious search parameter patterns

🔍 How to Verify

Check if Vulnerable:

Check package.json for algoliasearch-helper version between 2.0.0-rc1 and 3.11.1, and verify if search parameters are user-modifiable.

Check Version:

npm list algoliasearch-helper

Verify Fix Applied:

Confirm algoliasearch-helper version is 3.11.2 or later in package.json and node_modules.

📡 Detection & Monitoring

Log Indicators:

  • Unusual search parameter patterns
  • Error logs related to prototype pollution or merge.js

Network Indicators:

  • HTTP requests with malformed search parameters containing prototype pollution patterns

SIEM Query:

search 'algoliasearch-helper' AND ('prototype' OR 'merge.js' OR 'searchParameters')

📊 Metadata

CVE ID: CVE-2025-3193
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1321
EPSS Score: 0.09% exploit probability (26.4th percentile)
Published: September 27, 2025
Last Updated: October 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3193, you might also want to check these:

CVE-2024-38999 10.0

CVE-2024-38999 is a prototype pollution vulnerability in requirejs v2.3.6 that allows attackers to i...

Same vulnerability type (CWE-1321)
CVE-2024-39008 10.0

CVE-2024-39008 is a prototype pollution vulnerability in robinweser's fast-loops library version 1.1...

Same vulnerability type (CWE-1321)
CVE-2021-25953 9.8

CVE-2021-25953 is a prototype pollution vulnerability in the 'putil-merge' npm package that allows a...

Same vulnerability type (CWE-1321)