DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-CCGF-5RWJ-J3HV: GHSA-ccgf-5rwj-j3hv: DOM XSS via Unsafe Deserialization in TeleJSON

#security #cve #cybersecurity #ghsa

GHSA-ccgf-5rwj-j3hv: DOM XSS via Unsafe Deserialization in TeleJSON

Vulnerability ID: GHSA-CCGF-5RWJ-J3HV
CVSS Score: 5.1
Published: 2026-04-02

The telejson package prior to version 6.0.0 contains a DOM-based Cross-Site Scripting (XSS) vulnerability. The package deserializer uses an unsanitized object property, _constructor-name_, within a dynamically generated function via new Function(). Attackers can supply crafted JSON payloads to achieve arbitrary JavaScript execution in the context of the vulnerable application.

TL;DR

TeleJSON < 6.0.0 passes unvalidated input from the _constructor-name_ JSON property into a new Function() call during deserialization. This allows attackers to achieve arbitrary code execution via crafted JSON payloads, often delivered through cross-frame messaging.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: DOM-based Cross-Site Scripting (XSS)
  • CWE ID: CWE-79, CWE-94
  • Attack Vector: Network
  • Privileges Required: None
  • CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
  • Primary Mitigation: Upgrade to telejson >= 6.0.0

Affected Systems

  • Frontend applications utilizing the telejson library.
  • Storybook instances and custom addons communicating via window.postMessage.
  • telejson: < 6.0.0 (Fixed in: 6.0.0)

Mitigation Strategies

  • Upgrade telejson dependency to version 6.0.0 or higher.
  • Implement strong origin validation for any postMessage event listeners processing incoming JSON payloads.
  • Deploy a restrictive Content Security Policy (CSP) that omits the 'unsafe-eval' directive.

Remediation Steps:

  1. Audit project dependencies using npm audit or yarn audit to identify vulnerable versions of telejson.
  2. Update telejson to version 6.0.0.
  3. Review application code that utilizes telejson.parse(). If custom prototype restoration is required, explicitly pass { allowFunction: true } in the options object.
  4. Review all window.addEventListener('message', ...) implementations. Ensure event.origin is rigorously validated against a trusted whitelist before allowing the payload to reach parsing logic.

References

Read the full report for GHSA-CCGF-5RWJ-J3HV on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)