Cyber Resilience

CVE-2025-13158

Critical

Published: 26 December 2025

Published
26 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 35.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13158 is a critical-severity Prototype Pollution (CWE-1321) vulnerability in Sonatype (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the application, potentially leading to denial of service or unintended behavior…

more

in applications relying on the integrity of prototype chains. This affects the preProcess() function in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker modules.

CWE(s)

Related Threats

CVEs Like This One

CVE-2025-8083Shared CWE-1321
CVE-2024-57067Shared CWE-1321
CVE-2025-25977Shared CWE-1321
CVE-2026-26021Shared CWE-1321
CVE-2026-33993Shared CWE-1321
CVE-2024-57063Shared CWE-1321
CVE-2024-24292Shared CWE-1321
CVE-2026-32621Shared CWE-1321
CVE-2026-32878Shared CWE-1321
CVE-2026-34621Shared CWE-1321

Affected Assets

Sonatype
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References