Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is caught, code injected into the user-supplied search parameter may be exeucted. This is related to but distinct from the issue reported in [CVE-2021-23433](https://security.snyk.io/vuln/SNYK-JS-ALGOLIASEARCHHELPER-1570421). **NOTE:** This vulnerability is not exploitable in the default configuration of InstantSearch since searchParameters are not modifiable by users.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
CWE-1321
Vulnerability Title
algoliasearch-helper 安全漏洞
Vulnerability Description
algoliasearch-helper是Algolia开源的一个JavaScript模块,它可以帮助您跟踪搜索参数并提供更高级别的 API。 algoliasearch-helper 2.0.0-rc1版本至3.11.2之前版本存在安全漏洞,该漏洞源于merge.js中_merge函数存在原型污染,可能导致执行用户提供的搜索参数中的代码。
CVSS Information
N/A
Vulnerability Type
N/A