multi-ini is vulnerable to prototype pollution. An attacker is able to inject properties into existing construct prototypes and modify attributes such as __proto__
, constructor
and prototype
by specifying the constructor.proto object as part of an array. This vulnerability exists due to bypass of the fix for CVE-2020-28448.