GHSA-2CP6-34R9-54XX

Vulnerability from github – Published: 2026-01-29 15:18 – Updated: 2026-01-29 15:18
VLAI?
Summary
Maker.js has Unsafe Property Copying in makerjs.extendObject
Details

Summary

The makerjs.extendObject function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks hasOwnProperty() checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects.

Details

The extendObject function iterates over source object properties using a for...in loop without: 1. Checking hasOwnProperty() to exclude inherited properties 2. Filtering dangerous keys (__proto__, constructor, prototype) 3. Validating property sources

Affected Code

File: https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241

PoC

const makerjs = require('makerjs');

const source = { __proto__: { name: 'Ravi', isAdmin: true } };
const target = { name: 'user' };
const result = makerjs.extendObject(target, source);

console.log(result.name);  // Ravi
console.log(result.isAdmin);   // true

Impact

Security Implications

  1. Unexpected Behavior: Properties may appear on target objects but not be own properties, breaking hasOwnProperty() assumptions in security-sensitive code.

  2. Security Bypass Risk: Code relying on hasOwnProperty() for validation could be bypassed.

  3. Future Risk: Lack of dangerous key filtering (__proto__, constructor, prototype) exposes potential attack vectors.

Affected Use Cases

  • Extending objects from user input or external APIs
  • Merging options from untrusted sources
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.19.1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "makerjs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.19.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24888"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-29T15:18:33Z",
    "nvd_published_at": "2026-01-28T22:15:56Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects.\n\n### Details\nThe `extendObject` function iterates over source object properties using a `for...in` loop without:\n1. Checking `hasOwnProperty()` to exclude inherited properties\n2. Filtering dangerous keys (`__proto__`, `constructor`, `prototype`)\n3. Validating property sources\n\n### Affected Code\n\n**File**: https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241\n\n\n\n### PoC\n```javascript\nconst makerjs = require(\u0027makerjs\u0027);\n\nconst source = { __proto__: { name: \u0027Ravi\u0027, isAdmin: true } };\nconst target = { name: \u0027user\u0027 };\nconst result = makerjs.extendObject(target, source);\n\nconsole.log(result.name);  // Ravi\nconsole.log(result.isAdmin);   // true\n```\n\n\n### Impact\n### Security Implications\n\n1. **Unexpected Behavior**: Properties may appear on target objects but not be own properties, breaking `hasOwnProperty()` assumptions in security-sensitive code.\n\n2. **Security Bypass Risk**: Code relying on `hasOwnProperty()` for validation could be bypassed.\n\n3. **Future Risk**: Lack of dangerous key filtering (`__proto__`, `constructor`, `prototype`) exposes potential attack vectors.\n\n### Affected Use Cases\n\n- Extending objects from user input or external APIs\n- Merging options from untrusted sources",
  "id": "GHSA-2cp6-34r9-54xx",
  "modified": "2026-01-29T15:18:33Z",
  "published": "2026-01-29T15:18:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24888"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/maker.js/commit/85e0f12bd868974b891601a141974f929dec36b8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/microsoft/maker.js"
    },
    {
      "type": "WEB",
      "url": "https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Maker.js has Unsafe Property Copying in makerjs.extendObject"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.