EXECUTIVE SUMMARY:
A vulnerability has been identified CVE-2026-24888 in the makerjs open-source JavaScript library affecting versions up to and including, where the makerjs.extendObject function fails to properly validate object properties when copying from source to target, lacking safeguards such as hasOwnProperty() checks and filters for dangerous keys constructor, and prototype. This unsafe property copying can allow malicious or inherited properties to be introduced into target objects, potentially leading to unexpected behavior and security bypasses in applications that rely on extendObject for merging untrusted input or options, increasing the attack surface for prototype pollution-related exploitation. A fix has been included in subsequent releases to mitigate this issue and developers using the affected versions should upgrade. The vulnerability has a CVSS score of 6.5.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: