Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter (GHSA-rcw3-wmx7-cphr)
- Severity:
- Medium
Description
In vega 5.30.0 and lower, vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.
Recommendation
Update the vega package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.31.0
- Patched version(s): 5.31.0
References
Related Issues
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - CVE-2025-59840
- Vega allows Cross-site Scripting via the vlSelectionTuples function - CVE-2025-25304
- jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext (GHSA-hhhv-q57g-882q) - CVE-2024-28176
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793
- Tags:
- npm
- vega
Anything's wrong? Let us know Last updated on April 11, 2025