CVE-2025-13158 CRITICAL

CVE-2025-13158: apidoc-core - prototype pollution in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker

Vendor Apidoc
Product apidoc-core
Weakness CWE-1321
Published December 26, 2025
Last update December 26, 2025

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the application, potentially leading to denial of service or unintended behavior in applications relying on the integrity of prototype chains. This affects the preProcess() function in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker modules.

Key dates

02Disclosure timeline

December 26, 2025 CVE published
December 26, 2025 Record updated