CVE-2026-24888
Maker.js has Unsafe Property Copying in makerjs.extendObject
Description
### Summary The `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. ### Details The `extendObject` function iterates over source object properties using a `for...in` loop without: 1. Checking `hasOwnProperty()` to exclude inherited properties 2. Filtering dangerous keys (`__proto__`, `constructor`, `prototype`) 3. Validating property sources ### Affected Code **File**: https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241 ### PoC ```javascript const makerjs = require('makerjs'); const source = { __proto__: { name: 'Ravi', isAdmin: true } }; const target = { name: 'user' }; const result = makerjs.extendObject(target, source); console.log(result.name); // Ravi console.log(result.isAdmin); // true ``` ### Impact ### Security Implications 1. **Unexpected Behavior**: Properties may appear on target objects but not be own properties, breaking `hasOwnProperty()` assumptions in security-sensitive code. 2. **Security Bypass Risk**: Code relying on `hasOwnProperty()` for validation could be bypassed. 3. **Future Risk**: Lack of dangerous key filtering (`__proto__`, `constructor`, `prototype`) exposes potential attack vectors. ### Affected Use Cases - Extending objects from user input or external APIs - Merging options from untrusted sources
How to fix CVE-2026-24888
To remediate CVE-2026-24888, upgrade the affected package to a fixed version below.
- —upgrade to 0.19.2 or later
Is CVE-2026-24888 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.19.2