Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter (GHSA-rcw3-wmx7-cphr)
- Severity:
- Medium
Description
In vega 5.30.0 and lower, vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.
Recommendation
Update the vega package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.31.0
- Patched version(s): 5.31.0
References
Related Issues
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793
- jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext (GHSA-hhhv-q57g-882q) - CVE-2024-28176
- Vega allows Cross-site Scripting via the vlSelectionTuples function - CVE-2025-25304
- Vega has Cross-site Scripting vulnerability in `lassoAppend` function (GHSA-w5m3-xh75-mp55) - CVE-2023-26487
- Tags:
- npm
- vega
Anything's wrong? Let us know Last updated on April 11, 2025