Описание
Maker.js has Unsafe Property Copying in makerjs.extendObject
Summary
The makerjs.extendObject function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks hasOwnProperty() checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects.
Details
The extendObject function iterates over source object properties using a for...in loop without:
- Checking
hasOwnProperty()to exclude inherited properties - Filtering dangerous keys (
__proto__,constructor,prototype) - Validating property sources
Affected Code
PoC
Impact
Security Implications
-
Unexpected Behavior: Properties may appear on target objects but not be own properties, breaking
hasOwnProperty()assumptions in security-sensitive code. -
Security Bypass Risk: Code relying on
hasOwnProperty()for validation could be bypassed. -
Future Risk: Lack of dangerous key filtering (
__proto__,constructor,prototype) exposes potential attack vectors.
Affected Use Cases
- Extending objects from user input or external APIs
- Merging options from untrusted sources
Ссылки
- https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx
- https://nvd.nist.gov/vuln/detail/CVE-2026-24888
- https://github.com/microsoft/maker.js/commit/85e0f12bd868974b891601a141974f929dec36b8
- https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241
Пакеты
makerjs
<= 0.19.1
0.19.2
Связанные уязвимости
Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2.