CVE-2026-24888 – Maker.js versions up to 0.19.1 contain a protot... (How to Fix)

Q: What is the severity of CVE-2026-24888?

CVE-2026-24888 has a CVSS score of 6.5 (MEDIUM). Maker.js versions up to 0.19.1 contain a prototype pollution vulnerability in the extendObject function that allows attackers to modify object prototypes by copying malicious properties. This affects applications using Maker.js for 2D vector drawing and shape modeling, potentially leading to denial of service or remote code execution. The vulnerability is present in any application that uses the vulnerable extendObject function with untrusted input.

📋 TL;DR

Maker.js versions up to 0.19.1 contain a prototype pollution vulnerability in the extendObject function that allows attackers to modify object prototypes by copying malicious properties. This affects applications using Maker.js for 2D vector drawing and shape modeling, potentially leading to denial of service or remote code execution. The vulnerability is present in any application that uses the vulnerable extendObject function with untrusted input.

💻 Affected Systems

Products:

Maker.js

Versions: All versions up to and including 0.19.1

Operating Systems: All platforms running Node.js applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that use the vulnerable extendObject function with untrusted input.

📦 What is this software?

Maker.js by Microsoft

View all CVEs affecting Maker.js →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution through prototype pollution leading to complete system compromise of applications using Maker.js.

🟠

Likely Case

Denial of service through application crashes or unexpected behavior modification in applications using Maker.js.

🟢

If Mitigated

Limited impact if applications don't process untrusted input through extendObject or have input validation layers.

🌐 Internet-Facing: MEDIUM - Applications exposed to the internet that process user-supplied data through Maker.js are at risk.

🏢 Internal Only: LOW - Internal applications with controlled input sources have reduced risk.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires the application to process attacker-controlled data through the vulnerable function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.19.2 (or later)

Vendor Advisory: https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx

Restart Required: Yes

Instructions:

1. Update Maker.js to version 0.19.2 or later using npm update makerjs. 2. Restart any applications using Maker.js. 3. Verify the update was successful.

🔧 Temporary Workarounds

Input validation wrapper

all

Create a wrapper function that validates input before passing to extendObject

// JavaScript code to wrap extendObject calls with validation
function safeExtendObject(target, source) {
  if (!source || typeof source !== 'object') return target;
  // Add validation logic here
  return makerjs.extendObject(target, source);
}

🧯 If You Can't Patch

Implement strict input validation for all data passed to extendObject function
Isolate Maker.js usage to trusted data sources only

🔍 How to Verify

Check if Vulnerable:

Check package.json for makerjs version <=0.19.1 or examine node_modules/makerjs/package.json

Check Version:

npm list makerjs

Verify Fix Applied:

Verify makerjs version is >=0.19.2 in package.json and check that extendObject includes hasOwnProperty checks

📡 Detection & Monitoring

Log Indicators:

Unexpected application crashes
Unusual object property modifications
Prototype pollution warnings in logs

Network Indicators:

Unusual data patterns in requests to applications using Maker.js

SIEM Query:

Search for error logs containing 'prototype pollution', 'extendObject', or Maker.js-related crashes

📊 Metadata

CVE ID: CVE-2026-24888

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-1321

EPSS Score: 0.29% exploit probability (51.6th percentile)

Published: January 28, 2026

Last Updated: February 9, 2026

🔗 References

https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241 Product
https://github.com/microsoft/maker.js/commit/85e0f12bd868974b891601a141974f929dec36b8 Patch
https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx Vendor Advisory,Exploit
https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx Vendor Advisory,Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24888, you might also want to check these: