Home

Description

Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the application, potentially leading to denial of service or unintended behavior in applications relying on the integrity of prototype chains. This affects the preProcess() function in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker modules.

PUBLISHED Reserved 2025-11-13 | Published 2025-12-26 | Updated 2025-12-26 | Assigner Sonatype




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Product status

Default status
unaffected

0.2.0 (semver) before *
affected

Credits

James Montaño of the Sonatype Security Research Team finder

References

www.sonatype.com/security-advisories/cve-2025-13158 third-party-advisory

cve.org (CVE-2025-13158)

nvd.nist.gov (CVE-2025-13158)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.