Rollbar Prototype Pollution Vulnerability Allowing Denial-of-Service
Vulnerability
A prototype pollution vulnerability has been identified in the Rollbar package, specifically in versions through 2.26.4. This vulnerability allows attackers to inject properties into the Object prototype by supplying a crafted payload, which can lead to a denial-of-service condition as a minimum consequence. The issue arises because the utility.set function does not properly sanitize deeply nested property paths, enabling manipulation of the Object prototype chain. Exploitation of this vulnerability can cause application crashes, disrupt expected code execution paths, or bypass security measures that rely on the integrity of the prototype.
Impact
Exploitation of this vulnerability can cause application crashes, disrupt normal code execution, or bypass security controls that depend on the integrity of the Object prototype.
Reproduction
The vulnerability can be reproduced by using Rollbar version 2.26.4 or earlier and sending a payload that manipulates deeply nested property paths. This can be done by using the utility.set function to inject properties into the Object prototype, which can then be exploited to cause a denial-of-service condition or disrupt normal application behavior.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.