Cyber Posture

CVE-2026-24888

MediumPublic PoC

Published: 28 January 2026

Published
28 January 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0046 64.5th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The…

more

function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation requires timely patching of vulnerable third-party libraries like Maker.js to version 0.19.2, directly eliminating the prototype pollution vulnerability in extendObject.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Vulnerability monitoring and scanning identifies deployed instances of vulnerable Maker.js versions affected by CVE-2026-24888 for prioritization and remediation.

SI-10 Information Input Validation partial match
prevent

Information input validation sanitizes untrusted object inputs before passing to makerjs.extendObject, blocking malicious properties that enable prototype pollution.

Security SummaryAI

CVE-2026-24888 is a vulnerability in Maker.js, a JavaScript library for 2D vector line drawing and shape modeling used with CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects to target objects without proper validation. It lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied, which aligns with CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes, or prototype pollution). The issue carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) and was published on 2026-01-28.

The vulnerability enables exploitation over the network with low attack complexity, requiring no privileges, no user interaction, and no change in scope. Any remote attacker can leverage it if untrusted input reaches the `makerjs.extendObject` function, such as through parsed files or data in web applications using Maker.js. Successful exploitation allows low-impact confidentiality and integrity violations, typically by polluting object prototypes and altering application behavior.

Mitigation is addressed in GitHub commit 85e0f12bd868974b891601a141974f929dec36b8, expected to be included in Maker.js version 0.19.2. Security practitioners should update to the patched version and review the GitHub security advisory GHSA-2cp6-34r9-54xx for further details. The vulnerable code is visible in the maker.ts source at lines 232-241 prior to the fix.

Details

CWE(s)
CWE-1321

Affected Products

microsoft
maker.js
≤ 0.19.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is exploitable over the network with no privileges or user interaction in web applications using Maker.js, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References