CVE-2026-24888 Overview
CVE-2026-24888 is a Prototype Pollution vulnerability in Maker.js, a 2D vector line drawing and shape modeling library designed for CNC and laser cutters. The vulnerability exists in the makerjs.extendObject function, which copies properties from source objects without proper validation, potentially exposing applications to security risks.
The function lacks hasOwnProperty() checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. This can lead to various security issues including denial of service, data manipulation, and in some cases, remote code execution depending on how the polluted prototype is used downstream.
Critical Impact
Prototype pollution in Maker.js can allow attackers to inject malicious properties into Object prototypes, potentially affecting application-wide behavior and security controls.
Affected Products
- Maker.js versions up to and including 0.19.1
- Applications using the makerjs.extendObject function with untrusted input
- CNC and laser cutter software integrating vulnerable Maker.js versions
Discovery Timeline
- 2026-01-28 - CVE CVE-2026-24888 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-24888
Vulnerability Analysis
The vulnerability is classified under CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes). Prototype pollution occurs when an attacker is able to inject properties into existing JavaScript object prototypes. In the case of Maker.js, the extendObject function fails to properly validate the properties being copied from source to target objects.
When the function copies properties without checking hasOwnProperty(), it may inadvertently copy inherited properties from the prototype chain. More critically, if an attacker can control the source object, they can inject properties like __proto__, constructor, or prototype that will pollute the Object prototype and affect all objects in the application.
This vulnerability allows network-based attacks without requiring authentication or user interaction. The impact includes potential compromise of data confidentiality and integrity, though availability is not directly affected.
Root Cause
The root cause lies in the unsafe implementation of the makerjs.extendObject function located in packages/maker.js/src/core/maker.ts. The function iterates over source object properties and copies them to the target without:
- Checking if properties are own properties using hasOwnProperty()
- Filtering dangerous property names such as __proto__, constructor, or prototype
- Validating the type or safety of values being assigned
This allows inherited properties from the prototype chain to be copied, and more dangerously, allows specially crafted objects to pollute the global Object prototype.
Attack Vector
An attacker can exploit this vulnerability by providing a malicious object as input to any application function that ultimately passes data through makerjs.extendObject. The attack requires the application to process attacker-controlled input through this function path. Once the prototype is polluted, the injected properties become available on all objects within the application, potentially bypassing security checks, modifying application behavior, or enabling further attacks.
The network-based attack vector with low complexity makes this vulnerability particularly concerning for web applications that use Maker.js to process user-supplied design files or configurations.
The security patch modifies line references in the codebase to address this vulnerability. The fix is available in commit 85e0f12bd868974b891601a141974f929dec36b8:
<aside class="tsd-sources">
<p>Inherited from <a href="makerjs.exporter.idxfrenderoptions.html">IDXFRenderOptions</a>.<a href="makerjs.exporter.idxfrenderoptions.html#pointmatchingdistance">pointMatchingDistance</a></p>
<ul>
- <li>Defined in <a href="https://github.com/microsoft/maker.js/blob/master/packages/maker.js/src/core/maker.ts#L519">src/maker.js/packages/maker.js/src/core/maker.ts:519</a></li>
+ <li>Defined in <a href="https://github.com/microsoft/maker.js/blob/master/packages/maker.js/src/core/maker.ts#L520">src/maker.js/packages/maker.js/src/core/maker.ts:520</a></li>
</ul>
</aside>
<div class="tsd-comment tsd-typography">
Source: GitHub Commit Reference
Detection Methods for CVE-2026-24888
Indicators of Compromise
- Unexpected properties appearing on JavaScript objects across the application
- Application behavior changes not triggered by legitimate code paths
- Error messages or crashes related to unexpected object property access
- Log entries showing unusual property names like __proto__ or constructor in user input
Detection Strategies
- Implement application-level logging to monitor calls to extendObject and similar functions with user-controlled data
- Use static analysis tools to identify usage of vulnerable Maker.js versions in codebases
- Deploy runtime application self-protection (RASP) solutions to detect prototype pollution attempts
- Scan dependency manifests (package.json) for Maker.js versions <= 0.19.1
Monitoring Recommendations
- Monitor application logs for JSON parsing errors or unexpected object mutations
- Set up alerts for unusual patterns in design file uploads or API inputs
- Track Object prototype state in development and testing environments
- Implement integrity checks on critical application objects
How to Mitigate CVE-2026-24888
Immediate Actions Required
- Update Maker.js to version 0.19.2 or later which contains the security fix
- Audit application code for any usage of makerjs.extendObject with untrusted input
- Review and validate all user input before processing through Maker.js functions
- Consider implementing Object.freeze() on Object.prototype as a temporary mitigation
Patch Information
A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2. The fix implements proper property validation in the extendObject function to prevent prototype pollution attacks.
For detailed patch information, refer to the GitHub Security Advisory GHSA-2cp6-34r9-54xx and the source code reference.
Workarounds
- Implement input validation to strip dangerous properties (__proto__, constructor, prototype) before passing data to Maker.js
- Create a wrapper function around extendObject that performs hasOwnProperty() checks
- Use Object.create(null) for objects that will be extended to avoid prototype chain issues
- Freeze Object.prototype in environments where this won't break application functionality
# Update Maker.js to patched version
npm update maker.js@^0.19.2
# Or install specific patched version
npm install maker.js@0.19.2
# Verify installed version
npm list maker.js
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
