Skip to main content

TeleJSON EUVDEUVD-2026-31150

| CVE-2026-47099 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-20 VulnCheck
2.1
CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Severity Changed
May 20, 2026 - 20:22 NVD
MEDIUM LOW
CVSS changed
May 20, 2026 - 20:22 NVD
6.1 (MEDIUM) 2.1 (LOW)
Source Code Evidence Fetched
May 20, 2026 - 20:04 vuln.today
Analysis Generated
May 20, 2026 - 20:04 vuln.today

DescriptionCVE.org

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious _constructor-name_ property value. The custom reviver passes the constructor name directly to new Function() without sanitization when recreating object prototypes, enabling attackers to inject arbitrary JavaScript through vectors such as postMessage in cross-frame communication contexts to achieve script execution within the application.

AnalysisAI

DOM-based cross-site scripting in telejson versions prior to 6.0.0 allows unauthenticated remote attackers to execute arbitrary JavaScript by supplying a crafted JSON payload to the parse() function, specifically via a malicious _constructor-name_ property that is injected unsanitized into a new Function() call during prototype reconstruction. All applications using telejson < 6.0.0 that pass externally-sourced JSON - particularly those using postMessage for cross-frame communication - to telejson.parse() are affected. No public exploit has been identified at time of analysis, though the GHSA advisory (GHSA-ccgf-5rwj-j3hv) publishes both vulnerable and patched source code at named release tags, substantially lowering the barrier to exploitation. Vendor-released patch is available as telejson 6.0.0.

Technical ContextAI

TeleJSON (CPE: cpe:2.3:a:storybookjs:telejson) is an npm package by Storybook used to serialize and deserialize JavaScript objects - including those with custom prototypes - primarily for cross-frame communication scenarios. The vulnerable code path lives in parse()'s custom reviver: when deserializing an object that carries a _constructor-name_ property, the reviver at src/index.ts lines 293-299 (v5.3.3) passes the raw name string directly into new Function() via template literal interpolation (e.g., new Function('return function ${name}(){}')()). Because CWE-79 (Improper Neutralization of Input During Web Page Generation) is the root cause, any non-word characters in the attacker-controlled name value escape the function wrapper and become executable JavaScript. The fix in 6.0.0 applies two mitigations simultaneously: it strips non-word characters with a regex allowlist (name.replace(/[\W_]+/g, '')) before passing to new Function(), and gates the entire prototype-reconstruction code path behind a new allowFunction option, so applications that do not need this feature are no longer exposed by default.

RemediationAI

Upgrade telejson to version 6.0.0 or later - this is the vendor-confirmed fix documented in GHSA-ccgf-5rwj-j3hv (https://github.com/storybookjs/telejson/security/advisories/GHSA-ccgf-5rwj-j3hv). The 6.0.0 release sanitizes constructor names via regex and gates the code path behind allowFunction, meaning the vulnerable new Function() call is not reached unless explicitly enabled. If an immediate upgrade is not feasible, the most effective compensating control is to strip or reject any _constructor-name_ key from JSON input before passing it to telejson.parse() - this prevents the vulnerable reviver branch from activating entirely, with no functional side effect for applications not relying on custom prototype reconstruction. Applications that use postMessage for cross-frame messaging should additionally validate message origin against a strict allowlist (event.origin === 'https://trusted-domain.example') before passing message data to telejson.parse(), which limits the attacker's delivery channel; note that origin validation alone does not fix the underlying unsanitized new Function() call and must be combined with input sanitization or upgrade. Generic 'disable JavaScript' or WAF-based mitigations are ineffective for DOM-based XSS of this class.

Share

EUVD-2026-31150 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy