Description
Prototype pollution vulnerability in merge(). If application code calls rollbar.configure() with untrusted input, prototype pollution is possible.
Recommendation
Update the rollbar package to the latest compatible version. Followings are version details:
Affected version(s): **>= 3.0.0-alpha1, <= 3.0.0-beta4 <= 2.26.4** Patched version(s): **3.0.0-beta5 2.26.5**
References
Related Issues
- rollbar vulnerable to prototype pollution - CVE-2025-57325
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 4 - CVE-2020-8203
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 3 - CVE-2020-8203
- Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 2 - CVE-2020-8203
- Tags:
- npm
- rollbar
Anything's wrong? Let us know Last updated on October 24, 2025