nconf is a TOML-formatted plugin. nconf versions prior to 0.11.4 have a security vulnerability that stems from the .set() function, which is responsible for setting configuration properties, being vulnerable to prototype contamination, which can be exploited by attackers to override JavaScript application object prototypes.