Cyber Resilience

CVE-2026-24888

MediumPublic PoC

Published: 28 January 2026

Published
28 January 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0088 54.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-24888 is a medium-severity Prototype Pollution (CWE-1321) vulnerability in Microsoft Maker.Js. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24888 is a vulnerability in Maker.js, a JavaScript library for 2D vector line drawing and shape modeling used with CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects to target objects without proper validation. It lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied, which aligns with CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes, or prototype pollution). The issue carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) and was published on 2026-01-28.

The vulnerability enables exploitation over the network with low attack complexity, requiring no privileges, no user interaction, and no change in scope. Any remote attacker can leverage it if untrusted input reaches the `makerjs.extendObject` function, such as through parsed files or data in web applications using Maker.js. Successful exploitation allows low-impact confidentiality and integrity violations, typically by polluting object prototypes and altering application behavior.

Mitigation is addressed in GitHub commit 85e0f12bd868974b891601a141974f929dec36b8, expected to be included in Maker.js version 0.19.2. Security practitioners should update to the patched version and review the GitHub security advisory GHSA-2cp6-34r9-54xx for further details. The vulnerable code is visible in the maker.ts source at lines 232-241 prior to the fix.

EU & UK References

Vulnerability details

Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The…

more

function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is exploitable over the network with no privileges or user interaction in web applications using Maker.js, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23659Same vendor: Microsoft
CVE-2025-59237Same vendor: Microsoft
CVE-2025-55232Same vendor: Microsoft
CVE-2026-21532Same vendor: Microsoft
CVE-2025-53772Same vendor: Microsoft
CVE-2025-21368Same vendor: Microsoft
CVE-2026-21531Same vendor: Microsoft
CVE-2025-49712Same vendor: Microsoft
CVE-2026-32191Same vendor: Microsoft
CVE-2025-24043Same vendor: Microsoft

Affected Assets

microsoft
maker.js
≤ 0.19.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely patching of vulnerable third-party libraries like Maker.js to version 0.19.2, directly eliminating the prototype pollution vulnerability in extendObject.

detect

Vulnerability monitoring and scanning identifies deployed instances of vulnerable Maker.js versions affected by CVE-2026-24888 for prioritization and remediation.

prevent

Information input validation sanitizes untrusted object inputs before passing to makerjs.extendObject, blocking malicious properties that enable prototype pollution.

References