dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
dottie versions 2.0.4 through 2.0.6 contain an incomplete fix for CVE-2023-26132. The prototype pollution guard introduced in commit 7d3aee1 only validates the first segment of a dot-separated path, allowing an attacker to bypass the protection by placing proto at any position other than the first. Both dottie.set() and dottie.transform() are affected.