set-value is vulnerable to prototype pollution. Lack of validation in type of user-provided keys in the path parameter causes a bypass of CVE-2019-10747. The exploit is possible when the user-provided keys used in the path parameter are arrays.
github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452
github.com/jonschlinkert/set-value/commit/b057b1b8cf986746b27a145629d593c6bb4ab7c4
github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad
github.com/jonschlinkert/set-value/pull/33
research.prod.srcclr.io/artifacts/20569
www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/
www.oracle.com/security-alerts/cpujan2022.html