The vulnerability stems from safeEval's use of Node.js vm.runInNewContext with a sandbox that doesn't properly prevent prototype pollution. The PoC demonstrates that executing code like 'proto.test=123' through safeEval pollutes Object.prototype. The vm module's context isolation is known to be incomplete (not a security boundary), and the implementation doesn't use Object.create(null) for the sandbox or freeze prototypes, allowing attackers to access and modify the global Object prototype chain.