All versions of package js-data are vulnerable to Prototype Pollution via the deepFillIn and the set functions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Prototype Pollution
Information Disclosure
Js Data
NVD
GitHub
CVSS 3.1
9.8
EPSS
2.1%