This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.
{ "nvd_published_at": "2022-07-25T14:15:00Z", "github_reviewed_at": "2022-08-04T21:25:33Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-1321" ] }