CVE-2025-13158
Prototype Pollution in apidoc-core preProcess() Causes DoS
Publication date: 2025-12-26
Last updated on: 2025-12-26
Assigner: Sonatype
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apidoc-core | apidoc-core | 0.2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a prototype pollution issue in apidoc-core versions 0.2.0 and later. It allows remote attackers to modify JavaScript object prototypes by sending malformed data structures, including the 'define' property. This can affect the preProcess() function in several worker modules, potentially causing denial of service or unexpected behavior in applications that depend on the integrity of prototype chains.
How can this vulnerability impact me? :
The vulnerability can lead to denial of service or unintended behavior in applications that rely on the integrity of JavaScript prototype chains. This means attackers could disrupt normal application operations or cause the application to behave unpredictably.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update apidoc-core to a version later than 0.2.0 where the issue is fixed. Additionally, review and sanitize any input data structures processed by the application, especially those involving the 'define' property, to prevent prototype pollution. Monitor application behavior for signs of denial of service or unexpected behavior related to prototype chain manipulation. [1]