CVE-2025-57317

Vulnerability

Overview

The preProcess function within the apidoc-core library, specifically in the apidoc-core/lib/workers/api_body_title module, suffers from a prototype pollution vulnerability (CWE-1321). The function improperly restricts modifications to object prototypes when processing nested data structures in API documentation files. This allows an attacker to supply a crafted payload containing specially crafted "define" properties, which are then merged into internal JavaScript objects without sufficient validation [1][3].

Attack

Vector and Exploitation

An attacker can exploit this by providing a malicious API documentation file that includes a crafted payload designed to pollute the Object.prototype. The vulnerability is triggered during the parsing phase, when the preProcess function merges user-controlled data into its internal state. The attack does not require authentication and can be delivered via any method that allows the attacker to supply a malformed documentation file to the parser [3]. The minimum consequence is denial of service (DoS), as the polluted prototype can cause unexpected behavior or crashes in the application [1].

Impact

Successful prototype pollution in apidoc-core allows an attacker to inject properties on Object.prototype. This can lead to a denial of service condition as the most immediate impact, but may also cause unintended behavior in all objects within the application. The vulnerability affects all versions of apidoc-core through 0.15.0 [1][3].

Mitigation

As of the publication date, users are advised to check for updates to the apidoc-core library and apply any patches that address prototype pollution in the preProcess function. No official patch has been mentioned in the available references. Until a fix is available, users may consider input validation or sanitization of API documentation files before processing [2].