Maker.js Prototype Pollution Vulnerability in Object Extension Function

A vulnerability exists in Maker.js versions through 0.19.1 within the `makerjs.extendObject` function. This function improperly copies properties from source objects to target objects, lacking essential validation. The absence of `hasOwnProperty()` checks allows inherited properties, including potentially harmful ones, to be transferred, which could lead to security risks. The vulnerability arises from the function's failure to filter out dangerous keys such as `__proto__`, `constructor`, and `prototype`, leaving applications open to exploitation. This issue is particularly concerning when extending objects with user input or merging options from untrusted sources.

Impact

This vulnerability can cause prototype pollution, allowing inherited properties to be added to objects, which can disrupt the expected behavior of the application. Such changes can interfere with security mechanisms that rely on property ownership checks, potentially leading to unauthorized access or actions.

Reproduction

To reproduce this vulnerability, use a version of Maker.js prior to 0.19.2. The `extendObject` function can be called with a target object and a source object that includes inherited properties. The example provided in the advisory demonstrates this: a source object is created with a prototype that has additional properties, which are then copied to the target object without proper validation.

Remediation

Users can update to Maker.js version 0.19.2, where this vulnerability has been fixed.