Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter
- Severity:
- Medium
Description
In vega 5.30.0 and lower, vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.
Recommendation
Update the vega-functions package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.16.0
- Patched version(s): 5.16.0
References
Related Issues
- Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter (GHSA-rcw3-wmx7-cphr) - CVE-2025-26619
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia (GHSA-7f2v-3qq3-vvjf) 2 - CVE-2025-59840
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia (GHSA-7f2v-3qq3-vvjf) - CVE-2025-59840
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - CVE-2025-59840
- Tags:
- npm
- vega-functions
Anything's wrong? Let us know Last updated on April 11, 2025