Authenticated users create/modify workflows with malicious expressions like {{ {}[[\"__proto__\"]].polluted = 23 }} or {{ {}[[\"toString\"]][[\"constructor\"]](\"return process\")(process) }}. When executed, bypasses sandbox, leading to prototype pollution, arbitrary JS execution, or OS commands via spawn_sync, without error but unexpected server-side effects like file reads, command execution.

The isSafeObjectProperty sanitization function in packages/workflow/src/utils.ts assumes property keys are strings via TypeScript annotation but lacks runtime typeof property === 'string' check. Attackers pass non-string values like [\"__proto__\"] arrays in bracket notation expressions, bypassing Set.has() strict equality check against string blacklist. Downstream obj[property] coerces to string, accessing dangerous properties like __proto__ for prototype pollution or process for RCE via Function constructor or process.binding('spawn_sync').