CVE-2025-57325

描述

### Impact Prototype pollution potential with the utility function `rollbar/src/utility`.`set()`. No impact when using the published public interface. If application code directly imports `set` from `rollbar/src/utility` and then calls `set` with untrusted input in the second argument, it is vulnerable to prototype pollution. POC: ```js const obj = {}; require("rollbar/src/utility").set(obj, "__proto__.polluted", "vulnerable"); console.log({}.polluted !== undefined ? '[POLLUTION_TRIGGERED]':''); ``` ### Patches Fixed in version 2.26.5 and 3.0.0-beta5. ### Workarounds If application code directly imports `set` from `rollbar/src/utility`, ensure that the second argument does not receive untrusted input. ### References https://github.com/rollbar/rollbar.js/issues/1333#issuecomment-3353720946

如何修補 CVE-2025-57325

要修補 CVE-2025-57325,請將受影響套件升級到下列已修補版本。

• —升級至 2.26.5 或更新版本

CVE-2025-57325 正在被利用嗎?

低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 2.26.5

CVSS 分數

參考連結(7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-57325
• PATCHgithub.com/rollbar/rollbar.js
• WEBgithub.com/rollbar/rollbar.js/commit/d717def8b68f4a947975d0aebb729869cdb2d343
• WEBgithub.com/rollbar/rollbar.js/issues/1333