Vega Expression Language `scale` expression function Cross Site Scripting

Severity:: Medium

Description

The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript.

Recommendation

Update the vega-functions package to the latest compatible version. Followings are version details:

Affected version(s): < 5.13.1
Patched version(s): 5.13.1

References

GHSA-4vq7-882g-wcg4
github.dev
vega.github.io
CVE-2023-26486
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Vega Expression Language `scale` expression function Cross Site Scripting (GHSA-4vq7-882g-wcg4) - CVE-2023-26486
Vega has Cross-site Scripting vulnerability in `lassoAppend` function - CVE-2023-26487
`vega-functions` vulnerable to Cross-site Scripting via `setdata` function - CVE-2025-66648
Vega has Cross-site Scripting vulnerability in `lassoAppend` function (GHSA-w5m3-xh75-mp55) - CVE-2023-26487

Tags:: npm; vega-functions

Anything's wrong? Let us know Last updated on March 09, 2023