TeleJSON versions before 6.0.0 contain a DOM-based XSS vulnerability in the parse() function. The vulnerability occurs because the custom reviver function uses the constructor name from JSON input directly in new Function() without sanitization. This allows attackers to inject arbitrary JavaScript code when the library recreates object prototypes from JSON payloads. Attackers can exploit this via cross-frame communication mechanisms such as postMessage to execute scripts within the application context. The vulnerability has a CVSS 4.0 score of 2.1, reflecting low severity due to required user interaction and limited impact scope.

Successful exploitation allows execution of arbitrary JavaScript within the context of the affected application, potentially leading to script injection attacks. However, the low CVSS score and requirement for user interaction reduce the overall risk. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, avoid processing untrusted JSON payloads with telejson's parse() function, especially in contexts involving cross-frame communication such as postMessage. Monitor vendor channels for updates and apply patches promptly once available.