{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24888", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-27T19:35:20.528Z", "datePublished": "2026-01-28T21:35:44.030Z", "dateUpdated": "2026-01-29T18:00:53.428Z"}, "containers": {"cna": {"title": "Maker.js Vulnerable to Unsafe Property Copying in makerjs.extendObject", "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "lang": "en", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx"}, {"name": "https://github.com/microsoft/maker.js/commit/85e0f12bd868974b891601a141974f929dec36b8", "tags": ["x_refsource_MISC"], "url": "https://github.com/microsoft/maker.js/commit/85e0f12bd868974b891601a141974f929dec36b8"}, {"name": "https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241", "tags": ["x_refsource_MISC"], "url": "https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241"}], "affected": [{"vendor": "microsoft", "product": "maker.js", "versions": [{"version": "<= 0.19.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-28T21:35:44.030Z"}, "descriptions": [{"lang": "en", "value": "Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2."}], "source": {"advisory": "GHSA-2cp6-34r9-54xx", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T16:02:22.958539Z", "id": "CVE-2026-24888", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T18:00:53.428Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24888", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-29T16:02:22.958539Z"}}}], "references": [{"url": "https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T16:02:26.579Z"}}], "cna": {"title": "Maker.js Vulnerable to Unsafe Property Copying in makerjs.extendObject", "source": {"advisory": "GHSA-2cp6-34r9-54xx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "microsoft", "product": "maker.js", "versions": [{"status": "affected", "version": "<= 0.19.1"}]}], "references": [{"url": "https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx", "name": "https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/microsoft/maker.js/commit/85e0f12bd868974b891601a141974f929dec36b8", "name": "https://github.com/microsoft/maker.js/commit/85e0f12bd868974b891601a141974f929dec36b8", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241", "name": "https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-28T21:35:44.030Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24888", "state": "PUBLISHED", "dateUpdated": "2026-01-29T18:00:53.428Z", "dateReserved": "2026-01-27T19:35:20.528Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-28T21:35:44.030Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:maker.js:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "1DB78CEE-2892-487A-B7BA-076AF9E75CF1", "versionEndIncluding": "0.19.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2."}], "id": "CVE-2026-24888", "lastModified": "2026-02-09T16:37:29.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-28T22:15:56.517", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/microsoft/maker.js/commit/85e0f12bd868974b891601a141974f929dec36b8"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:38:44.716395+00:00", "value": {"mitigation_remediation": ["Upgrade Maker.js to version 0.19.2 or later to obtain the official patch", "If an upgrade is not immediately possible, review all calls to makerjs.extendObject and restrict the source objects to those containing only own properties, employing Object.hasOwnProperty checks or filtering the input", "Implement a defensive filter that removes or blocks dangerous properties such as __proto__, constructor, or prototype from source objects to prevent inadvertent code injection"], "summary": {"action": "Apply Patch", "impact": "Potential Code Execution"}, "threat_synthesis": {"affected_systems": "Microsoft Maker.js versions 0.19.1 and earlier, running on Node.js environments.", "description_and_impact": "Maker.js is a 2D vector drawing library developed by Microsoft. In versions up to 0.19.1, its makerjs.extendObject function copies all properties from a source object to a target object without validating ownership or filtering dangerous keys. Because the function does not check hasOwnProperty and allows inherited properties, an attacker could provide a crafted object that injects unwanted properties, including functions, into the target. This behavior exposes consumers of the library to potential security risks, such as code execution or the alteration of application behavior, if the injected properties are later accessed or executed.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while an EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, meaning no publicly known exploits have been reported to date. The likely attack vector is an application that accepts untrusted input and passes the data to extendObject; if the application runs with elevated privileges, an attacker could exploit the flaw to influence code execution."}}}}, "created": "2026-01-29T09:08:38.056028+00:00", "updated": "2026-04-18T14:45:03.136838+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$maker.js"]}