Описание
rollbar vulnerable to Prototype Pollution in merge()
Impact
Prototype pollution vulnerability in merge(). If application code calls rollbar.configure() with untrusted input, prototype pollution is possible.
Patches
Fixed in 2.26.5 and 3.0.0-beta5.
Workarounds
Ensure that values passed to rollbar.configure() do not contain untrusted input.
References
Fixed in https://github.com/rollbar/rollbar.js/pull/1394 (2.26.x) and https://github.com/rollbar/rollbar.js/pull/1390 (3.x)
Ссылки
- https://github.com/rollbar/rollbar.js/security/advisories/GHSA-xcg2-9pp4-j82x
- https://nvd.nist.gov/vuln/detail/CVE-2025-62517
- https://github.com/rollbar/rollbar.js/pull/1390
- https://github.com/rollbar/rollbar.js/pull/1394
- https://github.com/rollbar/rollbar.js/commit/61032fe6c208b71e249514800808a54bcb8cb8bb
- https://github.com/rollbar/rollbar.js/commit/d717def8b68f4a947975d0aebb729869cdb2d343
Пакеты
rollbar
<= 2.26.4
2.26.5
rollbar
>= 3.0.0-alpha1, <= 3.0.0-beta4
3.0.0-beta5
Связанные уязвимости
Rollbar.js offers error tracking and logging from Javascript to Rollbar. In versions before 2.26.5 and from 3.0.0-alpha1 to before 3.0.0-beta5, there is a prototype pollution vulnerability in merge(). If application code calls rollbar.configure() with untrusted input, prototype pollution is possible. This issue has been fixed in versions 2.26.5 and 3.0.0-beta5. A workaround involves ensuring that values passed to rollbar.configure() do not contain untrusted input.