Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter
- Severity:
- Medium
Description
In vega 5.30.0 and lower, vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.
Recommendation
Update the vega-functions package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.16.0
- Patched version(s): 5.16.0
References
Related Issues
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] - CVE-2025-27793
- @hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed - CVE-2024-32652
- jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext - CVE-2024-28176
- url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. - CVE-2022-0691
- Tags:
- npm
- vega-functions
Anything's wrong? Let us know Last updated on April 11, 2025