Vulnerability Description
Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Maker.Js | <= 0.19.1 |
Related Weaknesses (CWE)
References
- https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587Product
- https://github.com/microsoft/maker.js/commit/85e0f12bd868974b891601a141974f929dePatch
- https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xxVendor AdvisoryExploit
- https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xxVendor AdvisoryExploit
FAQ
What is CVE-2026-24888?
CVE-2026-24888 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects wit...
How severe is CVE-2026-24888?
CVE-2026-24888 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-24888?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Maker.Js.