JavaScript & Node.js

Merging user-controlled objects without filtering lets attackers modify Object.prototype and affect every object in the application.

Regular expressions with nested quantifiers can take exponential time to evaluate certain inputs, freezing your Node.js event loop.

Using Math.random() for security-sensitive values like tokens or IDs is predictable and can be brute-forced.

A service worker registered without scope restrictions can intercept all network requests for a domain, including those from other pages.