baobab is vulnerable to prototype pollution. An attacker is able to inject properties into existing construct prototypes via the merger
function in helpers.js
and modify attributes such as __proto__
, constructor
, and other prototype base objects.