Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia

Description

Applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if “safe mode” expressionInterpreter is used.

1. Use vega in an application that attaches vega library and a vega.View instance similar to the Vega Editor to the global window 2.

Recommendation

Update the vega package to the latest compatible version. Followings are version details:

• Affected version(s): < 6.2.0
• Patched version(s): 6.2.0

References

• GHSA-7f2v-3qq3-vvjf
• vega.github.io
• CVE-2025-59840
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia (GHSA-7f2v-3qq3-vvjf) 2 - CVE-2025-59840
• Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia (GHSA-7f2v-3qq3-vvjf) - CVE-2025-59840
• Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter (GHSA-rcw3-wmx7-cphr) - CVE-2025-26619
• Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter - CVE-2025-26619

Tags:

npm

vega