{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-3193","assignerOrgId":"bae035ff-b466-4ff4-94d0-fc9efd9e1730","state":"PUBLISHED","assignerShortName":"snyk","dateReserved":"2025-04-03T10:26:27.920Z","datePublished":"2025-09-27T05:00:07.140Z","dateUpdated":"2025-10-04T23:33:59.390Z"},"containers":{"cna":{"metrics":[{"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","exploitCodeMaturity":"NOT_DEFINED","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}],"credits":[{"value":"Yuhan Gao","lang":"en"},{"value":"Peng Zhou","lang":"en"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1321","description":"Prototype Pollution","lang":"en"}]}],"providerMetadata":{"orgId":"bae035ff-b466-4ff4-94d0-fc9efd9e1730","shortName":"snyk","dateUpdated":"2025-10-04T23:33:59.390Z"},"descriptions":[{"value":"Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the \"extreme edge-case\" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted.\r\rThis is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421).\r\r**NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.","lang":"en"}],"references":[{"url":"https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-3318396"},{"url":"https://github.com/algolia/algoliasearch-helper-js/issues/922"},{"url":"https://github.com/algolia/algoliasearch-helper-js/commit/776dff23c87b0902e554e02a8c2567d2580fe12a"}],"affected":[{"product":"algoliasearch-helper","versions":[{"version":"2.0.0-rc1","lessThan":"3.11.2","status":"affected","versionType":"semver"}],"vendor":"n/a"}]},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-1321","lang":"en","description":"CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-09-29T13:34:39.990542Z","id":"CVE-2025-3193","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-09-29T13:35:56.851Z"}}]}}