GHSA-xcg2-9pp4-j82x
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xcg2-9pp4-j82x
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-xcg2-9pp4-j82x/GHSA-xcg2-9pp4-j82x.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xcg2-9pp4-j82x
- Aliases
- Published
- 2025-10-23T20:31:30Z
- Modified
- 2025-10-24T19:28:46Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- rollbar vulnerable to Prototype Pollution in merge()
- Details
-
Impact
Prototype pollution vulnerability in merge(). If application code calls
rollbar.configure()with untrusted input, prototype pollution is possible.Patches
Fixed in 2.26.5 and 3.0.0-beta5.
Workarounds
Ensure that values passed to
rollbar.configure()do not contain untrusted input.References
Fixed in https://github.com/rollbar/rollbar.js/pull/1394 (2.26.x) and https://github.com/rollbar/rollbar.js/pull/1390 (3.x)
- Database specific
{ "cwe_ids": [ "CWE-1321" ], "github_reviewed": true, "github_reviewed_at": "2025-10-23T20:31:30Z", "severity": "MODERATE", "nvd_published_at": "2025-10-23T20:15:41Z" }- References
-
- https://github.com/rollbar/rollbar.js/security/advisories/GHSA-xcg2-9pp4-j82x
- https://nvd.nist.gov/vuln/detail/CVE-2025-62517
- https://github.com/rollbar/rollbar.js/pull/1390
- https://github.com/rollbar/rollbar.js/pull/1394
- https://github.com/rollbar/rollbar.js/commit/61032fe6c208b71e249514800808a54bcb8cb8bb
- https://github.com/rollbar/rollbar.js/commit/d717def8b68f4a947975d0aebb729869cdb2d343
- https://github.com/rollbar/rollbar.js
Affected packages
npm / rollbar
Package
- Name
- rollbar
- View open source insights on deps.dev
- Purl
- pkg:npm/rollbar
npm / rollbar
Package
- Name
- rollbar
- View open source insights on deps.dev
- Purl
- pkg:npm/rollbar