apidoc-core Prototype Pollution Vulnerability Allowing Denial-of-Service

A prototype pollution vulnerability has been identified in the apidoc-core library, specifically in versions through 0.15.0. This vulnerability arises in the preProcess function within the 'apidoc-core/lib/workers/api_body_title' module. The issue allows attackers to inject properties into Object.prototype by sending a crafted payload, which can disrupt the integrity of object inheritance chains. The primary consequence of this vulnerability is a denial-of-service condition, as the prototype pollution can lead to unintended behavior in applications that depend on the correctness of prototype chains.

Impact

Exploitation of this vulnerability can cause denial-of-service conditions by disrupting the normal behavior of applications that rely on JavaScript's prototype inheritance.

Reproduction

The vulnerability can be reproduced by using apidoc-core version 0.15.0 and providing malformed input that includes specially crafted 'define' properties. This input should be processed by the preProcess function, which will inadvertently assign the injected properties to Object.prototype, leading to prototype pollution.