The vulnerability stems from: 1) Type confusion in array operations (TemplatedGetItem/MapHelper) due to prototype chain side-effects, 2) Missing integrity checks in JIT compilation (Encoder::Encode), and 3) Unsafe spread optimizations. The commit adds CRC validation, prototype gap checks, and replaces unsafe TemplatedGetItem with TryTemplatedGetItem, directly addressing these vulnerable patterns.