async is vulnerable to prototype pollution. An attacker is able to inject malicious property types via mapValues
method and gain unintended privileges due to prototype pollution vulnerability.
github.com/caolan/async/blob/master/lib/internal/iterator.js
github.com/caolan/async/blob/master/lib/mapValuesLimit.js
github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264
github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d
github.com/caolan/async/compare/v2.6.3...v2.6.4
github.com/caolan/async/pull/1828
jsfiddle.net/oz5twjd9/
lists.fedoraproject.org/archives/list/[email protected]/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/
lists.fedoraproject.org/archives/list/[email protected]/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/