The package nested-object-assign before 1.0.4 are vulnerable to Prototype Pollution via the default function, as demonstrated by running the PoC below. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Prototype Pollution
Information Disclosure
Nested Object Assign
NVD
GitHub
CVSS 3.1
7.5
EPSS
1.5%