This affects the package mpath A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition
ignoreProperties.indexOf(parts[i]) !== -1 returns
['__proto__']. This is because the method that has been called if the input is an array is
Array.prototype.indexOf() and not
String.prototype.indexOf(). They behave differently depending on the type of the input.