It's not entirely JavaScript but it is partially due to some of the language's history and culture: prototype pollution wouldn't be possible in every other language and not everyone has culture around things like decoding payloads in an exploitable manner (e.g. in the Python world some people used to decode pickled objects but it was always frowned upon; the Java world has had debates over the years about this). The big one which is unique to JavaScript is the culture around client-side execution and mixing code running between the two environments, which means you have a lot of machinery setup to execute code on the server and/or clients, making it both easy to have confusion around the execution context in ways which have been exploited and encouraging people to do things like ship complex objects between the two which programmers using other backend languages wouldn't consider because they never had the possibility of running directly in the browser.