GHSA-ccgf-5rwj-j3hv: TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`

April 2, 2026

telejson versions prior to 6.0.0 (released 2022) are vulnerable to DOM-based Cross-Site Scripting (XSS) through unsafe deserialisation. Attacker-controlled input from the _constructor-name_ property in parsed JSON is passed directly to new Function() without sanitisation, allowing arbitrary JavaScript execution.

References

github.com/advisories/GHSA-ccgf-5rwj-j3hv
github.com/storybookjs/telejson
github.com/storybookjs/telejson/security/advisories/GHSA-ccgf-5rwj-j3hv

Code Behaviors & Features

Detect and mitigate GHSA-ccgf-5rwj-j3hv with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →