CVE-2025-13158

apidoc-core - prototype pollution in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker

CVSS 9.3 CRITICALEPSS 0.4%CWE-1321

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.3EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

26 Dec 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the application, potentially leading to denial of service or unintended behavior in applications relying on the integrity of prototype chains. This affects the preProcess() function in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker modules.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

apiDoc · apidoc-core

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.sonatype.com/security-advisories/cve-2025-13158