CVE-2025-13158
CRITICALapidoc-core >=0.2.0 - Prototype Pollution via Malformed Data Structures
Title source: llmDescription
Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the application, potentially leading to denial of service or unintended behavior in applications relying on the integrity of prototype chains. This affects the preProcess() function in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker modules.
References (1)
Core 1
Core References
Various Sources third-party-advisory
https://www.sonatype.com/security-advisories/cve-2025-13158
Scores
CVSS v4
9.3
EPSS
0.0044
EPSS Percentile
35.1%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-1321
Status
published
Products (2)
apiDoc/apidoc-core
0.2.0
npm/apidoc-core
0.2.0npm
Published
Dec 26, 2025
Tracked Since
Feb 18, 2026