CVE 9.3 CRITICAL

apidoc-core – prototype pollution in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker_CVE-2025-13158

December 26, 2025 invoker category_cve

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the application, potentially leading to denial of service or unintended behavior in applications relying on the integrity of prototype chains. This affects the preProcess() function in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker modules.

AI Analysis

Prototype pollution vulnerability allowing remote attackers to modify JavaScript object prototypes via malformed data structures

Basic Information

ID CVE-2025-13158

Source Sonatype

Published Dec 26, 2025 at 16:00

Modified Dec 26, 2025 at 16:55

Affected Product

Vendor apiDoc

Product apidoc-core

Version 0.2.0

Affected Versions apiDoc apidoc-core 0.2.0

CWE Classification

CWE-1321

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor apiDoc

Product apidoc-core

Version 0.2.0

References

www.sonatype.com /security-advisories/cve-2025-13158

{
    "lastseen": "",
    "description": "Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the \u201cdefine\u201d property processed by the application, potentially leading to denial of service or unintended behavior in applications relying on the integrity of prototype chains. This affects the preProcess() function in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker modules.",
    "published": "2025-12-26T16:00:27.208Z",
    "modified": "2025-12-26T16:55:08.039Z",
    "type": "cve",
    "title": "apidoc-core - prototype pollution in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker",
    "source": "Sonatype",
    "references": "https://www.sonatype.com/security-advisories/cve-2025-13158",
    "id": "CVE-2025-13158",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1321"
    ],
    "cvelist": null,
    "sourceData": "apiDoc apidoc-core 0.2.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "apidoc-core",
    "version": "0.2.0",
    "vendor": "apiDoc",
    "ai_description": "Prototype pollution vulnerability allowing remote attackers to modify JavaScript object prototypes via malformed data structures",
    "ai_severity": "Critical",
    "ai_vendor": "apiDoc",
    "ai_product": "apidoc-core",
    "ai_version": "0.2.0",
    "ai_score": 9.3
}

💭 Join the Security Discussion ❌ Cancel Reply