CVE-2025-3193: 
JavaScript vulnerability analysis and mitigation

CVE-2025-3193 affects the algoliasearch-helper package versions from 2.0.0-rc1 to 3.11.2. The vulnerability was discovered in September 2025 and involves a Prototype Pollution issue in the _merge() function within merge.js. This security flaw allows constructor.prototype to be written even though doing so throws an error (NVD, Snyk).

The vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes) with a CVSS v3.1 base score of 7.5 (High). The issue occurs in the _merge() function where constructor.prototype can be written despite throwing an error. If this error is caught, injected code in the user-supplied search parameter may be executed. The vulnerability is particularly concerning in cases where error handling might inadvertently enable the exploitation (NVD, Red Hat).

While the severity is rated as high, it's important to note that this vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users. However, in configurations where user input can modify search parameters, successful exploitation could lead to prototype pollution and potential code execution (NVD).

The primary mitigation is to upgrade algoliasearch-helper to version 3.11.2 or higher, which includes a fix for this vulnerability. The fix prevents prototype pollution by ensuring that both 'proto' and 'constructor' properties are skipped during the merge operation (GitHub Commit).