Vulnerability ID: GHSA-2cp6-34r9-54xx Package: makerjs (npm) Affected versions: <= 0.19.1 Patched versions: None Severity: Moderate (6.5/10) CVE ID: CVE-2026-24888 Weaknesses: CWE-1321 Description: Summary copies properties without validation, risking security. Lack of check allows for inherited properties and potential malicious property copying. Details Issues: - No check for inherited properties. - No filtering of dangerous keys ( , , ). - No property source validation. Affected Code: The code iterates over source object properties using a loop. PoC: Using to inject properties like into a target object. Impact: Security Implications: Unexpected behavior: Properties appear but are not own properties. Security bypass risk: Validation could be bypassed. Future risk: Lack of dangerous key filtering exposes attack vectors. Affected Use Cases: Extending objects from user input or external APIs. Merging options from untrusted sources.