flat-to-nested: Prototype pollution in flat-to-nested convert() via __proto__ parent/id key
convert() builds the nested tree by using each flat record's id and parent field values directly as object keys, with no guard against proto / constructor / prototype. A record whose parent is the string "proto" makes temp[parent] resolve to Object.prototype, and the following initPush(…) writes attacker-controlled data onto the global prototype. Any application that passes attacker-influenced records to convert() is affected, and the base prototype methods stay intact so …