CVE-2026-24888

描述

### Summary The `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. ### Details The `extendObject` function iterates over source object properties using a `for...in` loop without: 1. Checking `hasOwnProperty()` to exclude inherited properties 2. Filtering dangerous keys (`__proto__`, `constructor`, `prototype`) 3. Validating property sources ### Affected Code **File**: https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241 ### PoC ```javascript const makerjs = require('makerjs'); const source = { __proto__: { name: 'Ravi', isAdmin: true } }; const target = { name: 'user' }; const result = makerjs.extendObject(target, source); console.log(result.name); // Ravi console.log(result.isAdmin); // true ``` ### Impact ### Security Implications 1. **Unexpected Behavior**: Properties may appear on target objects but not be own properties, breaking `hasOwnProperty()` assumptions in security-sensitive code. 2. **Security Bypass Risk**: Code relying on `hasOwnProperty()` for validation could be bypassed. 3. **Future Risk**: Lack of dangerous key filtering (`__proto__`, `constructor`, `prototype`) exposes potential attack vectors. ### Affected Use Cases - Extending objects from user input or external APIs - Merging options from untrusted sources

如何修補 CVE-2026-24888

要修補 CVE-2026-24888,請將受影響套件升級到下列已修補版本。

• —升級至 0.19.2 或更新版本

CVE-2026-24888 正在被利用嗎?

低 — EPSS 為 0.6%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 0.19.2