rollbar vulnerable to prototype pollution

Severity:: Low

Description

Prototype pollution potential with the utility function rollbar/src/utility.set(). No impact when using the published public interface.

If application code directly imports set from rollbar/src/utility and then calls set with untrusted input in the second argument, it is vulnerable to prototype pollution.

Recommendation

Update the rollbar package to the latest compatible version. Followings are version details:

Affected version(s): **>= 3.0.0-alpha1, <= 3.0.0-beta4 <= 2.26.4**
Patched version(s): **3.0.0-beta5 2.26.5**

References

GHSA-r8c2-2qwq-94p6
CVE-2025-57325
CWE-1321
CAPEC-310
OWASP 2021-A6

Related Issues

rollbar vulnerable to Prototype Pollution in merge() - CVE-2025-62517
Elysia vulnerable to prototype pollution with multiple standalone schema validation - CVE-2025-66456
mpregular vulnerable to prototype pollution - CVE-2025-57323
counterpart vulnerable to prototype pollution - CVE-2025-57354

Tags:: npm; rollbar

Anything's wrong? Let us know Last updated on October 20, 2025