The vulnerability stems from improper input validation of plural_form definitions in .po files. The commit 8150aeb shows the patch changed validation from regex.test() to a full string match check, indicating the original regex allowed dangerous payloads via partial matches. The vulnerable code path processes untrusted plural_form inputs which are later evaluated, creating XSS opportunities when combined with malicious plural form definitions. Though dist/ files are shown in diffs, the core logic resides in lib/gettext.js where plural form handling occurs.