DOM-based XSS in gmail-js

Severity:: High

Description

Affected versions of gmail-js are vulnerable to cross-site scripting in the tools.parse_response, helper.get.visible_emails_post, and helper.get.email_data_post functions, which pass user input directly into the Function constructor.

Recommendation

Update the gmail-js package to the latest compatible version. Followings are version details:

Affected version(s): <= 0.6.4
Patched version(s): 0.6.5

References

GHSA-c7pp-g2v2-2766
www.npmjs.com
CVE-2016-1000228
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes - CVE-2025-53892
CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage - CVE-2026-26862
vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes - vue-i18n - CVE-2025-53892
DOM-based XSS in auth0-lock - CVE-2020-15119

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:: npm; gmail-js

Anything's wrong? Let us know Last updated on January 09, 2023