CVE-2025-62517

Oct. 23, 2025, 8:15 p.m.

5.9
Medium

Description

Rollbar.js offers error tracking and logging from Javascript to Rollbar. In versions before 2.26.5 and from 3.0.0-alpha1 to before 3.0.0-beta5, there is a prototype pollution vulnerability in merge(). If application code calls rollbar.configure() with untrusted input, prototype pollution is possible. This issue has been fixed in versions 2.26.5 and 3.0.0-beta5. A workaround involves ensuring that values passed to rollbar.configure() do not contain untrusted input.

Product(s) Impacted

Vendor Product Versions
Rollbar
  • Rollbar.js
  • <2.26.5, 3.0.0-alpha1-3.0.0-beta4

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a rollbar rollbar.js <2.26.5 / / / / / / /
a rollbar rollbar.js 3.0.0-alpha1-3.0.0-beta4 / / / / / / /

References

https://github.com/rollbar/rollbar.js/commit/61032fe6c208b71e249514800808a54bcb8cb8bb
https://github.com/rollbar/rollbar.js/commit/d717def8b68f4a947975d0aebb729869cdb2d343
https://github.com/rollbar/rollbar.js/pull/1390
https://github.com/rollbar/rollbar.js/pull/1394
https://github.com/rollbar/rollbar.js/security/advisories/GHSA-xcg2-9pp4-j82x

Tags

security-advisories@github.com
CWE-1321
2025-10-23
CVE-2025-62517

CVSS Score

5.9 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

    View Vector String

Timeline

Published: Oct. 23, 2025, 8:15 p.m.
Last Modified: Oct. 23, 2025, 8:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.