CVE-2025-62517
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-23

Last updated on: 2025-10-27

Assigner: GitHub, Inc.

Description
Rollbar.js offers error tracking and logging from Javascript to Rollbar. In versions before 2.26.5 and from 3.0.0-alpha1 to before 3.0.0-beta5, there is a prototype pollution vulnerability in merge(). If application code calls rollbar.configure() with untrusted input, prototype pollution is possible. This issue has been fixed in versions 2.26.5 and 3.0.0-beta5. A workaround involves ensuring that values passed to rollbar.configure() do not contain untrusted input.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-23
Last Modified
2025-10-27
Generated
2026-06-16
AI Q&A
2025-10-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62517
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
rollbar rollbar.js 2.26.4
rollbar rollbar.js 3.0.0-beta4
rollbar rollbar.js 3.0.0-alpha1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-62517 is a prototype pollution vulnerability in the rollbar.js library's merge() function. It occurs when application code calls rollbar.configure() with untrusted input, allowing an attacker to modify the prototype of JavaScript objects. This can lead to unauthorized changes in the application's behavior or data integrity issues. The vulnerability affects versions before 2.26.5 and from 3.0.0-alpha1 to before 3.0.0-beta5. It was fixed by ensuring that objects modified do not have a prototype, preventing prototype pollution. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing an attacker to perform prototype pollution, which can lead to unauthorized modification of data and potentially arbitrary code execution within the affected application. Although it does not affect confidentiality or availability, it has a high impact on integrity, meaning attackers can alter data or application behavior without permission. Exploitation requires complex conditions but no privileges or user interaction. [2]

Detection Guidance

This vulnerability can be detected by checking the version of the rollbar.js library used in your application. Versions before 2.26.5 and from 3.0.0-alpha1 to before 3.0.0-beta5 are vulnerable. You can detect the vulnerable version by inspecting your project's package.json or using npm commands such as `npm list rollbar` or `npm ls rollbar`. Additionally, reviewing your application code for calls to `rollbar.configure()` with untrusted input can help identify potential exploitation points. There are no specific network detection commands provided in the resources. [2]

Mitigation Strategies

Immediate mitigation steps include upgrading rollbar.js to version 2.26.5 or later, or to 3.0.0-beta5 or later, where the vulnerability has been fixed. As a workaround, ensure that values passed to `rollbar.configure()` do not contain untrusted input to prevent prototype pollution. Applying the patches from pull requests #1394 and #1390 also addresses the issue by preventing modifications to objects with prototypes. [2, 1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62517. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart