The vulnerability stems from the original reducer function's logic for processing dot-separated keys. The pre-patch code (shown in the diff) used a while loop to traverse keypaths while implicitly inheriting prototype properties through recursive assignments like node[key] = node[key] || {}. This allowed attackers to access and modify Object.prototype via proto keypaths. The patch introduced object spread syntax ({...result}) and explicit hasOwnProperty checks to prevent prototype pollution, confirming the vulnerability was in the reducer's keypath handling logic.