Description
Prototype pollution potential with the utility function rollbar/src/utility.set(). No impact when using the published public interface.
If application code directly imports set from rollbar/src/utility and then calls set with untrusted input in the second argument, it is vulnerable to prototype pollution.
Recommendation
Update the rollbar package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0-alpha1, <= 3.0.0-beta4 <= 2.26.4** Patched version(s): **3.0.0-beta5 2.26.5**
References
Related Issues
- svelte vulnerable to Cross-site Scripting - CVE-2025-15265
- Angular vulnerable to Cross-site Scripting - CVE-2020-7676
- angular Prototype Pollution vulnerability - CVE-2019-10768
- rollbar vulnerable to Prototype Pollution in merge() - CVE-2025-62517
- Tags:
- npm
- rollbar
Anything's wrong? Let us know Last updated on October 20, 2025