CVE-2025-13158

CRITICAL

NPM Apidoc-core - Prototype Pollution

Title source: rule

Description

Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the application, potentially leading to denial of service or unintended behavior in applications relying on the integrity of prototype chains. This affects the preProcess() function in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker modules.

References (1)

[Various Sources] https://www.sonatype.com/security-advisories/cve-2025-13158

Scores

CVSS v4 9.3

EPSS 0.0012

EPSS Percentile 31.0%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-1321

Status published

Products (2)

apiDoc/apidoc-core 0.2.0

npm/apidoc-core 0.2.0npm

Published Dec 26, 2025

Tracked Since Feb 18, 2026