Vulnerability Database
298,930
Total vulnerabilities in the database
CVE-2025-57325
Impact
Prototype pollution potential with the utility function rollbar/src/utility.set(). No impact when using the published public interface.
If application code directly imports set from rollbar/src/utility and then calls set with untrusted input in the second argument, it is vulnerable to prototype pollution.
POC:
const obj = {};
require("rollbar/src/utility").set(obj, "__proto__.polluted", "vulnerable");
console.log({}.polluted !== undefined ? '[POLLUTION_TRIGGERED]':'');
Patches
Fixed in version 2.26.5 and 3.0.0-beta5.
Workarounds
If application code directly imports set from rollbar/src/utility, ensure that the second argument does not receive untrusted input.
References
https://github.com/rollbar/rollbar.js/issues/1333#issuecomment-3353720946
- https://github.com/rollbar/rollbar.js/commit/d717def8b68f4a947975d0aebb729869cdb2d343
- https://github.com/rollbar/rollbar.js/issues/1333
- https://github.com/rollbar/rollbar.js/security/advisories/GHSA-r8c2-2qwq-94p6
- https://github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/rollbar%402.26.4/index.js
- https://github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57325
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime