The vulnerability documentation explicitly identifies the handler function as the entry point where user-controlled parameters are not properly sanitized. The PoC demonstrates pollution via handler(['proto'], 'polluted', 'yes'), showing direct exploitability through this function. While exact file paths aren't confirmed in public sources, the function name and vulnerability pattern match common prototype pollution vectors in JavaScript middleware modules.