Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia

Description

Applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if “safe mode” expressionInterpreter is used.

1. Use vega in an application that attaches vega library and a vega.View instance similar to the Vega Editor to the global window 2.

Recommendation

Update the vega package to the latest compatible version. Followings are version details:

• Affected version(s): < 6.2.0
• Patched version(s): 6.2.0

References

• GHSA-7f2v-3qq3-vvjf
• vega.github.io
• CVE-2025-59840
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta - CVE-2025-64502
• Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability (GHSA-m5vv-6r4h-3vj9) - CVE-2024-35255
• tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled envir - CVE-2024-49364
• Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter (GHSA-rcw3-wmx7-cphr) - CVE-2025-26619

Tags:

npm

vega