CVE-2026-24888
Insecure Object Extension in Maker.js Allows Property Injection
Publication date: 2026-01-28
Last updated on: 2026-02-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | maker.js | to 0.19.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Maker.js up to version 0.19.1 involves the makerjs.extendObject function, which copies properties from source objects without proper validation. It lacks hasOwnProperty() checks and does not filter dangerous keys, allowing inherited and potentially malicious properties to be copied to target objects. This can lead to security risks in applications using this function.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing your application to security risks such as unauthorized property injection or manipulation, which could lead to information disclosure or integrity issues. Since the function copies properties without validation, attackers might exploit this to inject malicious properties, potentially compromising the application's behavior or data.
What immediate steps should I take to mitigate this vulnerability?
Update Maker.js to version 0.19.2 or later, which includes the patch fixing the vulnerability in the makerjs.extendObject function. Avoid using versions up to and including 0.19.1 until patched.