CVE-2025-57325
Description
rollbar is a package designed to effortlessly track and debug errors in JavaScript applications. This package includes advanced error tracking features and an intuitive interface to help you identify and fix issues more quickly. A Prototype Pollution vulnerability in the utility.set function of rollbar v2.26.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype Pollution vulnerability in rollbar.js v2.26.4 and earlier allows attackers to inject properties on Object.prototype via a crafted payload, leading to denial of service.
Vulnerability
Overview
Rollbar.js is an error tracking library for JavaScript applications. A Prototype Pollution vulnerability exists in the utility.set function of rollbar v2.26.4 and earlier [1]. The function does not properly sanitize user-controlled input when setting nested properties, allowing an attacker to inject properties onto Object.prototype through a crafted payload [1][3].
Exploitation
The vulnerability is triggered via the set function, which processes a path argument (e.g., '__proto__.polluted') without adequate protection against prototype pollution attacks. An attacker can exploit this by supplying a specially crafted object that, when merged or set, pollutes the global Object prototype [3]. The attack requires no authentication or special network position, as it can be achieved by delivering a malicious payload that the vulnerable code processes [1].
Impact
Successful exploitation can lead to prototype pollution, causing unexpected behavior in the application. The minimum consequence is denial of service (DoS) [1]. In a broader context, prototype pollution can lead to property injection that affects all objects, potentially enabling further attacks such as privilege escalation or code injection, depending on how the polluted properties are used by the application.
Mitigation
The issue was addressed in a commit (d717def8b68f4a947975d0aebb729869cdb2d343) that prevents prototype pollution by setting the prototype of objects to null before assignment and ensuring the merge function uses Object.create(null) to create an object without a prototype chain [4]. Users should update to a patched version of rollbar.js (after v2.26.4) to mitigate the vulnerability. No workaround is mentioned in the available references.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rollbarnpm | < 2.26.5 | 2.26.5 |
rollbarnpm | >= 3.0.0-alpha1, < 3.0.0-beta5 | 3.0.0-beta5 |
Affected products
2- rollbar/rollbardescription
- Range: <=2.26.4
Patches
1d717def8b68fprototype pollution prevention (#1394)
4 files changed · +21 −4
.github/workflows/ci.yml+3 −3 modified@@ -2,14 +2,14 @@ name: Rollbar.js CI on: push: - branches: [master] + branches: [next/2.x/main] tags: [v*] pull_request: - branches: [master] + branches: [next/2.x/main] jobs: build: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 strategy: matrix:
src/merge.js+1 −1 modified@@ -34,7 +34,7 @@ function merge() { copy, clone, name, - result = {}, + result = Object.create(null), // no prototype pollution on Object current = null, length = arguments.length;
src/utility.js+4 −0 modified@@ -660,6 +660,10 @@ function set(obj, path, value) { if (!obj) { return; } + + // Prevent prototype pollution by setting the prototype to null. + Object.setPrototypeOf(obj, null); + var keys = path.split('.'); var len = keys.length; if (len < 1) {
test/utility.test.js+13 −0 modified@@ -446,6 +446,13 @@ describe('merge', function () { expect(e.amihere).to.eql('yes'); done(); }); + it('should be secure against prototype pollution', function () { + const o1 = JSON.parse('{"__proto__": {"polluted": "yes"}}'); + const o2 = JSON.parse('{"__proto__": {"polluted": "yes"}}'); + const result = _.merge(o1, o2); + expect({}.polluted).to.not.eql('yes'); + expect(result.polluted).to.not.eql('yes'); + }); }); var traverse = require('../src/utility/traverse'); @@ -765,6 +772,12 @@ describe('set', function () { expect(o.foo.bar.buzz).to.eql(97); expect(o.foo.bar.baz.fizz).to.eql(1); }); + it('should be secure against prototype pollution', function () { + const o = {}; + _.set(o, '__proto__.polluted', 'yes'); + expect({}.polluted).to.not.eql('yes'); + expect(o.polluted).to.not.eql('yes'); + }); }); var scrub = require('../src/scrub');
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-r8c2-2qwq-94p6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-57325ghsaADVISORY
- github.com/VulnSageAgent/PoCs/blob/main/JavaScript/prototype-pollution/rollbar%402.26.4/index.jsghsaWEB
- github.com/VulnSageAgent/PoCs/tree/main/JavaScript/prototype-pollution/CVE-2025-57325ghsaWEB
- github.com/rollbar/rollbar.js/commit/d717def8b68f4a947975d0aebb729869cdb2d343ghsaWEB
- github.com/rollbar/rollbar.js/issues/1333ghsaWEB
- github.com/rollbar/rollbar.js/security/advisories/GHSA-r8c2-2qwq-94p6ghsaWEB
News mentions
0No linked articles in our index yet.