Listen to this Post
The vulnerability exists in the `_merge()` function within the `merge.js` file. This function is used for recursively merging objects. A flawed implementation does not properly validate the keys of the input object. By crafting a malicious search parameter payload with a key like `__proto__` or constructor.prototype, an attacker can pollute the prototype of the base Object. When the function processes a nested key such as constructor.prototype.polluted, it traverses the prototype chain. Although assigning to `constructor.prototype` itself throws an error, if this error is caught and suppressed by the surrounding application code (an “extreme edge-case”), the pollution succeeds. This injects the property `polluted` into every object in the application, potentially altering their behavior or leading to remote code execution if the polluted property is used in unsafe operations.
Platform: Node.js
Version: 2.0.0-rc1 – 3.11.1
Vulnerability: Prototype Pollution
Severity: Moderate
date: 2025-09-27
Prediction: Patch expected 2025-10-04
What Undercode Say:
npm audit
const helper = algoliasearchHelper(...);
helper.setQueryParameter('constructor.prototype.polluted', 'yes');
// Proof of Concept
const helper = algoliasearchHelper(...);
helper.setQueryParameter({'<strong>proto</strong>.polluted': 'YES'});
console.log({}.polluted); // Outputs 'YES'
How Exploit:
Craft malicious search parameters.
Target applications catching errors.
Pollute the Object prototype.
Protection from this CVE:
Update to version 3.11.2.
Sanitize user inputs.
Avoid error suppression.
Impact:
Arbitrary code execution.
Denial of Service.
Application instability.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
