CVE-2026-24888 is a prototype pollution vulnerability classified under CWE-1321 affecting Microsoft maker.js, a JavaScript library used for 2D vector line drawing and shape modeling, particularly in CNC and laser cutting applications. The vulnerability exists in the makerjs.extendObject function, which is responsible for copying properties from source objects to target objects. In versions up to and including 0.19.1, this function does not perform proper validation such as checking if properties are own properties via hasOwnProperty(), nor does it filter out dangerous keys. Consequently, inherited or maliciously crafted properties can be copied into target objects, leading to prototype pollution. Prototype pollution can allow attackers to manipulate the behavior of applications by altering object prototypes, potentially causing unexpected behavior, data leakage, or bypassing security controls. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. Although no known exploits are currently reported in the wild, the flaw's presence in a library used in manufacturing and design automation software could have serious implications if weaponized. A patch fixing the issue was committed and is expected in version 0.19.2. The CVSS v3.1 base score is 6.5, indicating a medium severity level with impacts on confidentiality and integrity but no impact on availability.

For European organizations, especially those in manufacturing, industrial design, and CNC machining sectors, this vulnerability poses a risk of unauthorized modification of application behavior and data integrity within systems that utilize maker.js. Compromised prototype objects could lead to subtle data corruption, leakage of sensitive design information, or manipulation of CNC instructions, potentially causing defective manufacturing outputs or intellectual property theft. Since maker.js is used in automation and precision tooling, integrity issues could translate into costly production errors or safety hazards. Confidentiality impacts could expose proprietary designs or manufacturing parameters to attackers. The lack of availability impact reduces the risk of denial-of-service but does not diminish the potential for stealthy, persistent compromise. European companies integrating maker.js into their software toolchains or custom applications should consider this vulnerability a moderate risk that requires timely remediation to avoid operational and reputational damage.

European organizations should immediately assess their use of maker.js and identify any systems running versions up to 0.19.1. The primary mitigation is to upgrade to version 0.19.2 or later, which contains the patch that properly validates property copying in extendObject. If upgrading is not immediately feasible, organizations should implement strict input validation and sanitization on any data passed to maker.js functions to prevent injection of malicious prototype properties. Employ runtime monitoring to detect anomalous prototype modifications or unexpected object behaviors. Incorporate static code analysis tools to identify unsafe object property manipulations in custom code using maker.js. Additionally, isolate maker.js usage within sandboxed environments or containers to limit the blast radius of potential exploitation. Maintain an inventory of affected assets and monitor threat intelligence sources for any emerging exploits targeting this vulnerability.