Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia
- Severity:
- High
Description
Applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if “safe mode” expressionInterpreter is used.
- Use
vegain an application that attachesvegalibrary and avega.Viewinstance similar to the Vega Editor to the globalwindow2.
Recommendation
Update the vega package to the latest compatible version. Followings are version details:
- Affected version(s): < 6.2.0
- Patched version(s): 6.2.0
References
Related Issues
- Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resourc - CVE-2026-22036
- @sveltejs/kit has memory amplification DoS vulnerability in Remote Functions binary form deserializer (application/x-sve - CVE-2026-22803
- Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function ga - CVE-2025-65110
- Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta - CVE-2025-64502
- Tags:
- npm
- vega
Anything's wrong? Let us know Last updated on November 14, 2025