Description
Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2.
Published: 2026-01-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential Code Execution
Action: Apply Patch
AI Analysis

Impact

Maker.js is a 2D vector drawing library developed by Microsoft. In versions up to 0.19.1, its makerjs.extendObject function copies all properties from a source object to a target object without validating ownership or filtering dangerous keys. Because the function does not check hasOwnProperty and allows inherited properties, an attacker could provide a crafted object that injects unwanted properties, including functions, into the target. This behavior exposes consumers of the library to potential security risks, such as code execution or the alteration of application behavior, if the injected properties are later accessed or executed.

Affected Systems

Microsoft Maker.js versions 0.19.1 and earlier, running on Node.js environments.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while an EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, meaning no publicly known exploits have been reported to date. The likely attack vector is an application that accepts untrusted input and passes the data to extendObject; if the application runs with elevated privileges, an attacker could exploit the flaw to influence code execution.

Generated by OpenCVE AI on April 18, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Maker.js to version 0.19.2 or later to obtain the official patch
  • If an upgrade is not immediately possible, review all calls to makerjs.extendObject and restrict the source objects to those containing only own properties, employing Object.hasOwnProperty checks or filtering the input
  • Implement a defensive filter that removes or blocks dangerous properties such as __proto__, constructor, or prototype from source objects to prevent inadvertent code injection

Generated by OpenCVE AI on April 18, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2cp6-34r9-54xx Maker.js has Unsafe Property Copying in makerjs.extendObject
History

Mon, 09 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:microsoft:maker.js:*:*:*:*:*:node.js:*:*

Thu, 29 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft maker.js
Vendors & Products Microsoft
Microsoft maker.js

Wed, 28 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
Description Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2.
Title Maker.js Vulnerable to Unsafe Property Copying in makerjs.extendObject
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Microsoft Maker.js
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-29T18:00:53.428Z

Reserved: 2026-01-27T19:35:20.528Z

Link: CVE-2026-24888

cve-icon Vulnrichment

Updated: 2026-01-29T16:02:26.579Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-28T22:15:56.517

Modified: 2026-02-09T16:37:29.410

Link: CVE-2026-24888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:45:03Z

Weaknesses