Skip to content

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in rollbar

Low
brianr published GHSA-r8c2-2qwq-94p6 Oct 17, 2025

Package

npm rollbar (npm)

Affected versions

<=2.26.4, >=3.0.0-alpha1&&<=3.0.0-beta4

Patched versions

2.26.5, 3.0.0-beta5

Description

Impact

Prototype pollution potential with the utility function rollbar/src/utility.set(). No impact when using the published public interface.

If application code directly imports set from rollbar/src/utility and then calls set with untrusted input in the second argument, it is vulnerable to prototype pollution.

POC:

const obj = {};
require("rollbar/src/utility").set(obj, "__proto__.polluted", "vulnerable");
console.log({}.polluted !== undefined ? '[POLLUTION_TRIGGERED]':'');

Patches

Fixed in version 2.26.5 and 3.0.0-beta5.

Workarounds

If application code directly imports set from rollbar/src/utility, ensure that the second argument does not receive untrusted input.

References

#1333 (comment)

Severity

Low

CVE ID

CVE-2025-57325

Weaknesses

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. Learn more on MITRE.

Credits