GHSA-CCGF-5RWJ-J3HV: GHSA-ccgf-5rwj-j3hv: DOM XSS via Unsafe Deserialization in TeleJSON

GHSA-ccgf-5rwj-j3hv: DOM XSS via Unsafe Deserialization in TeleJSON Vulnerability ID: GHSA-CCGF-5RWJ-J3HV CVSS Score: 5.1 Published: 2026-04-02 The telejson package prior to version 6.0.0 contains a DOM-based Cross-Site Scripting (XSS) vulnerability. The package deserializer uses an unsanitized object property, _constructor-name_, within a dynamically generated function via new Function(). Attackers can supply crafted JSON payloads to achieve arbitrary JavaScript execution in the context of the vulnerable application. TL;DR TeleJSON < 6.0.0 passes unvalidated input from the _constructor-name_ JSON property into a new Function() call during deserialization. This allows attackers to achieve arbitrary code execution via crafted JSON payloads, often delivered through cross-frame messaging. ⚠️ Exploit Status: POC Technical Details Vulnerability Type: DOM-based Cross-Site Scripting (XSS) CWE ID: CWE-79, CWE-94 Attack Vector: Network Privileges Required: None CVSS v4.0 Vector: CVSS:4.0/AV: