Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-1hfu-wwu4-e3bn
Vulnerability ID VCID-1hfu-wwu4-e3bn
Aliases CVE-2025-62517
GHSA-xcg2-9pp4-j82x
Summary Rollbar.js offers error tracking and logging from Javascript to Rollbar. In versions before 2.26.5 and from 3.0.0-alpha1 to before 3.0.0-beta5, there is a prototype pollution vulnerability in merge(). If application code calls rollbar.configure() with untrusted input, prototype pollution is possible. This issue has been fixed in versions 2.26.5 and 3.0.0-beta5. A workaround involves ensuring that values passed to rollbar.configure() do not contain untrusted input.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00064 https://api.first.org/data/v1/epss?cve=CVE-2025-62517
epss 0.00064 https://api.first.org/data/v1/epss?cve=CVE-2025-62517
epss 0.00064 https://api.first.org/data/v1/epss?cve=CVE-2025-62517
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-xcg2-9pp4-j82x
cvssv3.1 5.9 https://github.com/rollbar/rollbar.js
generic_textual MODERATE https://github.com/rollbar/rollbar.js
cvssv3.1 5.9 https://github.com/rollbar/rollbar.js/commit/61032fe6c208b71e249514800808a54bcb8cb8bb
generic_textual MODERATE https://github.com/rollbar/rollbar.js/commit/61032fe6c208b71e249514800808a54bcb8cb8bb
ssvc Track https://github.com/rollbar/rollbar.js/commit/61032fe6c208b71e249514800808a54bcb8cb8bb
cvssv3.1 5.9 https://github.com/rollbar/rollbar.js/commit/d717def8b68f4a947975d0aebb729869cdb2d343
generic_textual MODERATE https://github.com/rollbar/rollbar.js/commit/d717def8b68f4a947975d0aebb729869cdb2d343
ssvc Track https://github.com/rollbar/rollbar.js/commit/d717def8b68f4a947975d0aebb729869cdb2d343
cvssv3.1 5.9 https://github.com/rollbar/rollbar.js/pull/1390
generic_textual MODERATE https://github.com/rollbar/rollbar.js/pull/1390
ssvc Track https://github.com/rollbar/rollbar.js/pull/1390
cvssv3.1 5.9 https://github.com/rollbar/rollbar.js/pull/1394
generic_textual MODERATE https://github.com/rollbar/rollbar.js/pull/1394
ssvc Track https://github.com/rollbar/rollbar.js/pull/1394
cvssv3.1 5.9 https://github.com/rollbar/rollbar.js/security/advisories/GHSA-xcg2-9pp4-j82x
cvssv3.1_qr MODERATE https://github.com/rollbar/rollbar.js/security/advisories/GHSA-xcg2-9pp4-j82x
generic_textual MODERATE https://github.com/rollbar/rollbar.js/security/advisories/GHSA-xcg2-9pp4-j82x
ssvc Track https://github.com/rollbar/rollbar.js/security/advisories/GHSA-xcg2-9pp4-j82x
cvssv3.1 5.9 https://nvd.nist.gov/vuln/detail/CVE-2025-62517
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-62517
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2025-62517
https://github.com/rollbar/rollbar.js
1390 https://github.com/rollbar/rollbar.js/pull/1390
1394 https://github.com/rollbar/rollbar.js/pull/1394
61032fe6c208b71e249514800808a54bcb8cb8bb https://github.com/rollbar/rollbar.js/commit/61032fe6c208b71e249514800808a54bcb8cb8bb
CVE-2025-62517 https://nvd.nist.gov/vuln/detail/CVE-2025-62517
d717def8b68f4a947975d0aebb729869cdb2d343 https://github.com/rollbar/rollbar.js/commit/d717def8b68f4a947975d0aebb729869cdb2d343
GHSA-xcg2-9pp4-j82x https://github.com/advisories/GHSA-xcg2-9pp4-j82x
GHSA-xcg2-9pp4-j82x https://github.com/rollbar/rollbar.js/security/advisories/GHSA-xcg2-9pp4-j82x
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/rollbar/rollbar.js
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/rollbar/rollbar.js/commit/61032fe6c208b71e249514800808a54bcb8cb8bb
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-23T20:13:17Z/ Found at https://github.com/rollbar/rollbar.js/commit/61032fe6c208b71e249514800808a54bcb8cb8bb
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/rollbar/rollbar.js/commit/d717def8b68f4a947975d0aebb729869cdb2d343
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-23T20:13:17Z/ Found at https://github.com/rollbar/rollbar.js/commit/d717def8b68f4a947975d0aebb729869cdb2d343
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/rollbar/rollbar.js/pull/1390
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-23T20:13:17Z/ Found at https://github.com/rollbar/rollbar.js/pull/1390
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/rollbar/rollbar.js/pull/1394
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-23T20:13:17Z/ Found at https://github.com/rollbar/rollbar.js/pull/1394
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/rollbar/rollbar.js/security/advisories/GHSA-xcg2-9pp4-j82x
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-23T20:13:17Z/ Found at https://github.com/rollbar/rollbar.js/security/advisories/GHSA-xcg2-9pp4-j82x
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-62517
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.20062
EPSS Score 0.00064
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:04:18.365830+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2025/62xxx/CVE-2025-62517.json 38.6.0