In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
https://github.com/caolan/async/pull/1828
https://github.com/caolan/async/compare/v2.6.3...v2.6.4
https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d
https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264
https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js
https://github.com/caolan/async/blob/master/lib/internal/iterator.js