Prototype pollution isn’t just about data — it can fundamentally alter how JavaScript apps behave because the prototype system is at the core of object-oriented behavior in JS. This makes it especially dangerous in tools embedded in developer workflows or automated processes.

Status: Newly published (Dec 26, 2025) in the National Vulnerability Database (NVD) and associated advisories.

---

Vulnerability Overview

• Name: CVE-2025-13158
• Severity: Critical (CVSS v4.0 score of 9.3)
• Affected Component: apidoc-core (a JavaScript/Node.js library often used for API documentation tooling)
• Impacted Versions: 0.2.0 and all subsequent versions (no fixed/patched release available at disclosure)

---

Technical Description

CWE: CWE-1321 — Improperly Controlled Modification of Object Prototype Attributes (“Prototype Pollution”)

The vulnerability allows remote attackers to modify JavaScript object prototypes by sending crafted input (e.g., malformed JSON structures). This happens because certain functions in the apidoc-core workflow — specifically in modules such as:

• api_group.js,
• api_param_title.js,
• api_use.js, and
• api_permission.js

don’t properly validate or sanitize incoming data before merging it into internal objects.

Prototype pollution means an attacker can influence behavior of all objects inheriting from the altered prototype chain, potentially leading to:

• Denial of Service (DoS) (e.g., crashes, infinite loops)
• Unexpected or malicious behavior in applications relying on apidoc-core
• Broader application logic issues due to polluted prototypes

No authentication or prior privileges are needed for exploitation — it’s remote and unauthenticated.

---

Impact & Risks

• High impact on applications that use apidoc-core for API generation, documentation or automation.
• Because JavaScript object prototypes are foundational to runtime behavior, pollution attacks can cause unpredictable logic execution and side effects.

Even if direct confidential data theft isn’t the primary vector, corrupted object behavior can cascade into broader system instability or indirect security failures.

---

Mitigation Guidance

There is no official patched release available at the time of disclosure, so affected users/developers should:

1. Audit and identify all uses of apidoc-core in code repositories, CI/CD systems, and build pipelines.
2. Sanitize and validate all external inputs before processing. Reject or filter dangerous fields (e.g., “define”).
3. Apply defensive coding practices, such as freezing the base object (Object.freeze(Object.prototype)) where feasible to prevent modifications.
4. Isolate or sandbox apidoc workloads (e.g., restricting them to containers with limited privileges).
5. Monitor logs and errors for signs of prototype pollution during runtime.
6. Watch for official patches from apiDoc maintainers and update as soon as available.