rollbarjs, Prototype Pollution, CVE-2025-XXXX (Low)

By /

Listen to this Post

The CVE-2025-XXXX vulnerability in rollbar.js is a prototype pollution flaw within a private utility function. The affected code is the internal `set()` function located in rollbar/src/utility.js. This function is used to set a property on an object using a string path, for example, set({}, "a.b.c", "value"). The vulnerability arises because the function does not properly sanitize the path string. An attacker who can control the path can use specially crafted strings containing characters like `__proto__` or constructor.prototype. If this internal function is called directly by application code with user-supplied input as the path, the malicious payload can modify the JavaScript Object.prototype. This pollution affects all objects in the application, potentially allowing for remote code execution, denial of service, or bypassing security controls, depending on the application’s structure. It is crucial to note that this function is not part of the public API, and the primary impact is on code that imports and uses this internal module directly.
Platform: rollbar.js
Version: <=2.26.4, 3.0.0-alpha1 to 3.0.0-beta4

Vulnerability : Prototype Pollution

Severity: Low

date: 2025-10-17

Prediction: Patched 2025-10-20

What Undercode Say:

npm audit
grep -r "from 'rollbar/src/utility'" .
node -e "const { set } = require('rollbar/src/utility'); set({}, '<strong>proto</strong>.polluted', 'yes'); console.log({}.polluted);"

How Exploit:

const { set } = require('rollbar/src/utility');
// Malicious user input controlling the path
set({}, '<strong>proto</strong>.isAdmin', true);
// Now every object has isAdmin = true

Protection from this CVE

Update to rollbar.js version 2.26.5 or 3.0.0-beta5. Avoid directly importing and using internal `rollbar/src/utility` modules. Sanitize all user inputs that interact with object property paths. Use objects created with `Object.create(null)` which have no prototype.

Impact:

Modifies JavaScript Object Prototype. Potential for Remote Code Execution. Application behavior manipulation. Security control bypass.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top