Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia (GHSA-7f2v-3qq3-vvjf) 2

Description

Applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if “safe mode” expressionInterpreter is used.

1. Use vega in an application that attaches vega library and a vega.View instance similar to the Vega Editor to the global window 2.

Recommendation

Update the vega-interpreter package to the latest compatible version. Followings are version details:

• Affected version(s): **< 1.2.1

  >= 2.0.0, < 2.2.1**

• Patched version(s): **1.2.1

  2.2.1**

References

• GHSA-7f2v-3qq3-vvjf
• vega.github.io
• CVE-2025-59840
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Server secret was included in static assets and served to clients - Vulnerability
• Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
• Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
• Incorrect default cookie name and recommendation - Vulnerability

Tags:

npm

vega-interpreter