You can find the original writeup here: https://unit42.paloaltonetworks.com/jsonwebtoken-vulnerabili...

It's pretty much yet another one one the pile of object deserialization vulnerabilities.

I don't see anything about deserialization. If you can add a function to an object, then you're running code on the server already, there's no need to wait for the function to be called. Surely I'm missing some scenario where this is impactful.