The vulnerability exists in the JavaScript library jsondiffpatch and is caused by the patch functions that accept unfiltered delta or JSON Patch inputs. Because the library blindly uses property names and path segments from these inputs, an attacker can supply crafted data that targets the special properties __proto__ or constructor.prototype. This causes those properties to be set on Object.prototype, allowing the attacker to pollute the global prototype chain. Based on the description, it is inferred that the attacker can cause downstream objects to inherit these polluted properties, potentially leading to code execution or other malicious behavior depending on how application code uses those objects. The weakness is classified as CWE‑1321.

These weaknesses are present in all jsondiffpatch releases prior to 0.7.6. Projects that depend on the library via npm or yarn and use either the default patch API or the jsonpatch formatter API are susceptible. The vulnerability is vendor‑agnostic but applies to any application or service that imports jsondiffpatch from npm and forwards external or untrusted data to its patch functions.

The CVSS score of 8.8 indicates a high severity. The EPSS score is not available, but the lack of a documented exploit in the KEV catalog suggests limited public exploitation at present. However, because the flaw is triggered by arbitrary input to a widely used library, the risk surface is high, especially in environments where the library is used with externally provided patch data. Based on the description, it is inferred that attackers can likely achieve prototype pollution locally, which may lead to code execution if the polluted prototype is later used to evaluate or execute code. The vulnerability is known to exist but no official patch or workaround is available from a CNA, so the sole mitigation is to update the package.