Description

Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2.

INFO

Published Date :

2026-01-28T21:35:44.030Z

Last Modified :

2026-01-29T18:00:53.428Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-24888 vulnerability.

Vendors Products
Microsoft
  • Maker.js
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-24888.

URL Resource
https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241 cve-icon cve-icon
https://github.com/microsoft/maker.js/commit/85e0f12bd868974b891601a141974f929dec36b8 cve-icon cve-icon
https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact