What is GHSA-CCGF-5RWJ-J3HV?

DOM XSS in TeleJSON <6.0.0 via unsafe _constructor-name_ in new Function() during JSON deserialization.

How to fix TeleJSON XSS vulnerability?

Upgrade to >=6.0.0, validate postMessage origins, deploy CSP sans unsafe-eval.

Does TeleJSON vuln affect Storybook?

Yes, especially addons using postMessage; audit and patch immediately.

⚙️ DevOps & Platform Eng

TeleJSON's DOM XSS Flaw: The PostMessage Trap Snaring Storybook Devs

Q: What is GHSA-CCGF-5RWJ-J3HV?

DOM XSS in TeleJSON <6.0.0 via unsafe _constructor-name_ in new Function() during JSON deserialization.

Q: How to fix TeleJSON XSS vulnerability?

Upgrade to >=6.0.0, validate postMessage origins, deploy CSP sans unsafe-eval.

Imagine a malicious addon slipping arbitrary JavaScript into your dev tools via a simple JSON payload. That's the TeleJSON vuln hitting Storybook setups hard — and it's easier to exploit than you think.

DevTools Feed Apr 03, 2026 3 min read

Diagram of TeleJSON DOM XSS exploit chain via postMessage in Storybook iframe

⚡ Key Takeaways

TeleJSON <6.0.0 enables DOM XSS via crafted JSON in postMessage, CVSS 5.1. 𝕏
Storybook devs: upgrade now, whitelist origins, enforce strict CSP. 𝕏
Echoes past serialization flaws — expect more in microfrontend era. 𝕏

Published by

DevTools Feed

Ship faster. Build smarter.

#DOM XSS #GHSA-CCGF-5RWJ-J3HV #Storybook #postmessage security #telejson

Worth sharing?

Get the best Developer Tools stories of the week in your inbox — no noise, no spam.

Originally reported by dev.to

⚡ Key Takeaways

The 60-Second TL;DR

DevTools Feed

Share this article

Worth sharing?

Related Stories

Dead Code Erased $440 Million from Knight Capital in Just 45 Minutes

Terraform Secrets: The State File Trap No One Talks About

Containers: Just Processes, Kernel-Constrained

Docker for Beginners: Containers That Ship Code Like Cargo Ships

Stay in the loop