Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia (GHSA-7f2v-3qq3-vvjf) 2

Description

Applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if “safe mode” expressionInterpreter is used.

1. Use vega in an application that attaches vega library and a vega.View instance similar to the Vega Editor to the global window 2.

Recommendation

Update the vega-interpreter package to the latest compatible version. Followings are version details:

• Affected version(s): **< 1.2.1

  >= 2.0.0, < 2.2.1**

• Patched version(s): **1.2.1

  2.2.1**

References

• GHSA-7f2v-3qq3-vvjf
• vega.github.io
• CVE-2025-59840
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia (GHSA-7f2v-3qq3-vvjf) - CVE-2025-59840
• Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - CVE-2025-59840
• Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter (GHSA-rcw3-wmx7-cphr) - CVE-2025-26619
• Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter - CVE-2025-26619

Tags:

npm

vega-interpreter