rollbar vulnerable to prototype pollution

Severity:: Low

Description

Prototype pollution potential with the utility function rollbar/src/utility.set(). No impact when using the published public interface.

If application code directly imports set from rollbar/src/utility and then calls set with untrusted input in the second argument, it is vulnerable to prototype pollution.

Recommendation

Update the rollbar package to the latest compatible version. Followings are version details:

Affected version(s): **>= 3.0.0-alpha1, <= 3.0.0-beta4 <= 2.26.4**
Patched version(s): **3.0.0-beta5 2.26.5**

References

GHSA-r8c2-2qwq-94p6
CVE-2025-57325
CWE-1321
CAPEC-310
OWASP 2021-A6

Related Issues

Angular vulnerable to Cross-site Scripting - CVE-2020-7676
rollbar vulnerable to Prototype Pollution in merge() - CVE-2025-62517
csvjson vulnerable to prototype injection - CVE-2025-57318
Prebid.js NPM package briefly compromised - CVE-2025-59038

Tags:: npm; rollbar

Anything's wrong? Let us know Last updated on October 20, 2025