Aikido Intel
Secure My Code
Intel

AIKIDO-2026-11068

@ungap/structured-clone is vulnerable to Improper Control of Generation of Code ('Code Injection')

Improper Control of Generation of Code ('Code Injection') Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

57

Medium Risk

This Affects:

JS@ungap/structured-clone
0.0.1 - 1.3.0
Fixed in 1.3.1
Are you affected? Scan for Free

TL;DR

The deserialize function in the structured-clone polyfill reconstructs values by calling new globalThis[name](value) where the constructor name comes from the serialized input. When an application passes attacker-controlled serialized data to deserialize, the attacker can request constructors such as Function, eval, Worker, SharedWorker, setTimeout, or setInterval and trigger code execution in the host environment. The code did not validate the constructor name. The patch introduces a guard that throws TypeError for these dangerous constructors before instantiation.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and using the exported deserialize method.

Background info

@ungap/structured-clone is vulnerable to Improper Control of Generation of Code ('Code Injection') in versions 0.0.1 - 1.3.0.

How to fix this

Upgrade the @ungap/structured-clone library to the patch version.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done