A vulnerability in npm package parse-ini version 1.0.6 allows prototype pollution because the function in index.js does not properly sanitize input data. This flaw enables an attacker to inject malicious properties into the prototypes of standard JavaScript objects, which can alter application behavior, corrupt data structures, or lead to arbitrary code execution. The weakness matches the pattern of prototype manipulation weaknesses.

Any Node.js application that incorporates parse-ini v1.0.6 or earlier is potentially impacted. Projects that read or parse .ini configuration files supplied from untrusted sources are at particular risk, because they may expose the vulnerable function to external input without validation.

The exact EPSS score is not provided in the CVE data, and the vulnerability is not listed in the CISA KEV catalog. However, prototype pollution is widely regarded as a high‑severity issue that can be exploited when an application accepts untrusted data. Because the vulnerability resides in a library commonly used for configuration parsing, an attacker could craft a specially formatted .ini file or query string to trigger the vulnerability in a live deployment. The lack of an available CVSS score or EPSS metric means that observers must rely on the inherent severity of prototype pollution and the presence of user supplied data to assess risk.