AIKIDO-2025-10082
redoc is vulnerable to Prototype Pollution
20
Low Risk
This Affects:
redocTL;DR
Affected versions of redoc are vulnerable to prototype pollution via the Module.mergeObjects function located in redoc/bundles/redoc.lib.js at line 2. The vulnerability occurs because the mergeObjects() method recursively copies properties from a source object to a destination object without implementing necessary security checks. As a result, an attacker can exploit this behavior to inject malicious properties into the built-in Object.prototype by leveraging special properties such as __proto__ or constructor.prototype. This prototype pollution can be further exploited to manipulate application logic, potentially leading to Denial of Service, Remote Code Execution, or Cross-site Scripting attacks.
Who does this affect?
You are affected if you use a vulnerable version of redoc.
Background info
redoc is vulnerable to Prototype Pollution in versions 1.0.1 - 2.3.0.
How to fix this
Upgrade redoc to a patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant