The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.
References
Link | Resource |
---|---|
https://github.com/algolia/algoliasearch-helper-js/blob/3.5.5/src/SearchParameters/index.js%23L291 | Broken Link |
https://github.com/algolia/algoliasearch-helper-js/commit/4ff542b70b92a6b81cce8b9255700b0bc0817edd | Patch Third Party Advisory |
https://snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: snyk
Published: 2021-11-19T00:00:00
Updated: 2021-11-19T19:25:12
Reserved: 2021-01-08T00:00:00
Link: CVE-2021-23433
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-11-19T20:15:17.903
Modified: 2022-06-28T14:11:45.273
Link: CVE-2021-23433
JSON object: View
Redhat Information
No data.
CWE