Executive Summary

CVE-2026-47099 is a DOM-based cross-site scripting (XSS) vulnerability in TeleJSON versions prior to 6.0.0. It occurs in the parse() function where a specially crafted JSON payload containing a malicious _constructor-name_ property is passed. The custom reviver function uses this constructor name directly in new Function() without sanitization, allowing attackers to inject and execute arbitrary JavaScript code.

This vulnerability can be exploited through vectors such as postMessage in cross-frame communication contexts, enabling script execution within the affected application.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows attackers to execute arbitrary JavaScript within the context of the vulnerable application. This can lead to impacts such as session hijacking, credential theft, or manipulation of the Document Object Model (DOM).

However, the severity is rated as Low with a CVSS score of 2.1, indicating limited exploitability and minimal impact on confidentiality and integrity.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying usage of telejson versions prior to 6.0.0 in your environment, especially where the parse() function processes JSON payloads containing the _constructor-name_ property.

You can monitor network traffic or application logs for JSON payloads that include the _constructor-name_ property with suspicious or unexpected values.

Since the vulnerability is triggered by crafted JSON payloads, commands to search for such payloads might include:

• Using grep or similar tools to find occurrences of telejson usage or vulnerable versions in your codebase: `grep -r "telejson" ./`
• Searching logs or captured network traffic for the _constructor-name_ property: `grep -r '"_constructor-name"' /path/to/logs`
• Using network monitoring tools (e.g., Wireshark or tcpdump) to capture and filter JSON payloads containing _constructor-name_: `tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep '_constructor-name'`

Additionally, reviewing application code to check if telejson.parse() is used without proper sanitization or without the allowFunction option enabled can help detect vulnerable implementations.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and immediate mitigation step is to upgrade telejson to version 6.0.0 or later, where the vulnerability has been fixed.

Version 6.0.0 introduces two key mitigations:

• A character allowlist via regex that strips non-word characters from the constructor name before passing it to new Function(), preventing injection of malicious code.
• Gating the vulnerable code path behind the allowFunction option, which must be explicitly enabled to allow execution of constructor functions.

If upgrading immediately is not possible, consider disabling or restricting features that accept JSON payloads with the _constructor-name_ property, especially in cross-frame communication contexts like postMessage.

Also, review and sanitize any input that is passed to telejson.parse() to prevent malicious payloads from reaching the vulnerable code.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows arbitrary JavaScript execution within the application context, which could lead to session hijacking, credential theft, or DOM manipulation.

Such impacts could potentially affect compliance with standards and regulations like GDPR or HIPAA, which require protection of personal data and secure handling of user credentials.

However, the provided information does not explicitly discuss or analyze the direct effects of this vulnerability on compliance with these or other common standards and regulations.

Useful 0 Not Useful 0