Description
The package algoliasearch-helper before 3.6.2 are vulnerable to Prototype Pollution due to use of the merge function in src/SearchParameters/index.jsSearchParameters._parseNumbers without any protection against prototype properties. Note that this vulnerability is only exploitable if the implementation allows users to define arbitrary search patterns.
Remediation
References
https://github.com/algolia/algoliasearch-helper-js/blob/3.5.5/src/SearchParameters/index.js%23L291
https://github.com/algolia/algoliasearch-helper-js/commit/4ff542b70b92a6b81cce8b9255700b0bc0817edd
https://snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421
Related Vulnerabilities
CVE-2022-36906 Vulnerability in maven package org.jenkins-ci.plugins:openshift-deployer
CVE-2021-29425 Vulnerability in maven package commons-io:commons-io
CVE-2021-23337 Vulnerability in maven package org.fujion.webjars:lodash
CVE-2023-33202 Vulnerability in maven package org.bouncycastle:bcprov-jdk18on
CVE-2018-11786 Vulnerability in maven package org.apache.karaf.shell:org.apache.karaf.shell.core