A type confusion vulnerability can lead to a bypass of CVE-2019-10747 when the user-provided keys used in the path parameter are arrays.
Created nodejs-set-value tracking bugs for this issue:
Affects: fedora-33 [bug 2004945]
Downgrading the impact to Moderate, as this not qualify for Important severity Red Hat rating.
Upstream PR and fix: