Critical severityGHSA Advisory· Published Dec 26, 2025· Updated Apr 15, 2026

CVE-2025-13158

Description

Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the application, potentially leading to denial of service or unintended behavior in applications relying on the integrity of prototype chains. This affects the preProcess() function in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker modules.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
apidoc-corenpm	>= 0.2.0, <= 0.15.0	—

Affected products

Apidoc/Apidoc CoreGHSA
Range: >= 0.2.0, <= 0.15.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-6vj3-p34w-xxjpghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-13158ghsaADVISORY
www.sonatype.com/security-advisories/cve-2025-13158nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000